Malware Analysis Report

2025-08-06 03:32

Sample ID 240419-tbrqhagd25
Target 9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b
SHA256 9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b

Threat Level: Known bad

The file 9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Program crash

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 15:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 15:53

Reported

2024-04-19 15:55

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\system32\cmd.exe
PID 3460 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\system32\cmd.exe
PID 4548 wrote to memory of 4504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4548 wrote to memory of 4504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3460 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\rss\csrss.exe
PID 3460 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\rss\csrss.exe
PID 3460 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\rss\csrss.exe
PID 4516 wrote to memory of 2324 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 2324 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 2324 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 2020 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 2020 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 2020 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 2712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 2712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 2712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 4620 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4516 wrote to memory of 4620 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2640 wrote to memory of 4232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 4232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 4232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4232 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4232 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe

"C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe

"C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 132.46.30.184.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 f80ee488-033c-4c69-9034-5d76f85cfe95.uuid.localstats.org udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 20.189.173.11:443 tcp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server12.localstats.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
BG 185.82.216.111:443 server12.localstats.org tcp
US 8.8.8.8:53 127.210.217.172.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server12.localstats.org tcp
US 199.232.210.172:80 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.111:443 server12.localstats.org tcp

Files

memory/4900-1-0x0000000003B50000-0x0000000003F4A000-memory.dmp

memory/4900-2-0x0000000003F50000-0x000000000483B000-memory.dmp

memory/4900-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4740-4-0x00000000048A0000-0x00000000048D6000-memory.dmp

memory/4740-5-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4740-6-0x0000000002700000-0x0000000002710000-memory.dmp

memory/4740-7-0x0000000004F10000-0x0000000005538000-memory.dmp

memory/4740-8-0x0000000004EA0000-0x0000000004EC2000-memory.dmp

memory/4740-9-0x0000000005770000-0x00000000057D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lqei0b2a.wt3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4740-15-0x0000000005850000-0x00000000058B6000-memory.dmp

memory/4740-20-0x00000000059C0000-0x0000000005D14000-memory.dmp

memory/4740-21-0x0000000005E70000-0x0000000005E8E000-memory.dmp

memory/4740-22-0x00000000061C0000-0x000000000620C000-memory.dmp

memory/4740-23-0x0000000006290000-0x00000000062D4000-memory.dmp

memory/4740-24-0x0000000006F90000-0x0000000007006000-memory.dmp

memory/4740-25-0x0000000007690000-0x0000000007D0A000-memory.dmp

memory/4740-26-0x0000000007030000-0x000000000704A000-memory.dmp

memory/4740-27-0x000000007EF30000-0x000000007EF40000-memory.dmp

memory/4740-29-0x00000000703D0000-0x000000007041C000-memory.dmp

memory/4740-28-0x00000000073F0000-0x0000000007422000-memory.dmp

memory/4740-30-0x0000000070550000-0x00000000708A4000-memory.dmp

memory/4740-41-0x0000000002700000-0x0000000002710000-memory.dmp

memory/4740-40-0x0000000007430000-0x000000000744E000-memory.dmp

memory/4740-42-0x0000000007450000-0x00000000074F3000-memory.dmp

memory/4740-43-0x0000000007540000-0x000000000754A000-memory.dmp

memory/4740-44-0x0000000007D10000-0x0000000007DA6000-memory.dmp

memory/4740-45-0x0000000007550000-0x0000000007561000-memory.dmp

memory/4740-46-0x0000000007590000-0x000000000759E000-memory.dmp

memory/4740-47-0x00000000075B0000-0x00000000075C4000-memory.dmp

memory/4740-48-0x0000000007600000-0x000000000761A000-memory.dmp

memory/4740-49-0x00000000075F0000-0x00000000075F8000-memory.dmp

memory/4740-52-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4900-54-0x0000000003B50000-0x0000000003F4A000-memory.dmp

memory/3460-55-0x0000000003A00000-0x0000000003DFA000-memory.dmp

memory/4900-56-0x0000000003F50000-0x000000000483B000-memory.dmp

memory/3460-57-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3036-58-0x0000000004970000-0x0000000004980000-memory.dmp

memory/3036-59-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4900-61-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3036-62-0x0000000004970000-0x0000000004980000-memory.dmp

memory/3036-60-0x0000000005860000-0x0000000005BB4000-memory.dmp

memory/3036-73-0x00000000703D0000-0x000000007041C000-memory.dmp

memory/3036-74-0x0000000070B50000-0x0000000070EA4000-memory.dmp

memory/3036-85-0x00000000070D0000-0x0000000007173000-memory.dmp

memory/3036-86-0x0000000004970000-0x0000000004980000-memory.dmp

memory/3036-84-0x000000007F1B0000-0x000000007F1C0000-memory.dmp

memory/3036-87-0x00000000073E0000-0x00000000073F1000-memory.dmp

memory/3036-88-0x0000000007430000-0x0000000007444000-memory.dmp

memory/3036-91-0x0000000074530000-0x0000000074CE0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2228-93-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/2228-94-0x0000000004B90000-0x0000000004BA0000-memory.dmp

memory/2228-95-0x0000000004B90000-0x0000000004BA0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8385a3c522416ff0fb81e2d8b881d4b0
SHA1 8a42e2edf2222e8bd04bb8d4b3f16379d0ce2fb3
SHA256 e9382a2d511f8ac85f803836a03b8843484fa6b5c0320851d745f6c8dedfb2ac
SHA512 ced27608bbe23d4510a9e1b9540965706d3e43bd38899101a9cc96f58f6bc79a4cd21b809efd9dc675471467fe45100d75d8e2d9b0f725105af0be9cb2cb91eb

memory/2228-107-0x00000000703D0000-0x000000007041C000-memory.dmp

memory/2228-106-0x000000007F5A0000-0x000000007F5B0000-memory.dmp

memory/2228-108-0x0000000070550000-0x00000000708A4000-memory.dmp

memory/2228-118-0x0000000004B90000-0x0000000004BA0000-memory.dmp

memory/2228-120-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3460-121-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3460-122-0x0000000003A00000-0x0000000003DFA000-memory.dmp

memory/1892-132-0x0000000005E30000-0x0000000006184000-memory.dmp

memory/3460-133-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1892-135-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/1892-136-0x0000000004D00000-0x0000000004D10000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 24de4b9af2f918effac4cf4118b60b59
SHA1 df446fb70b86c475e988302f5145239d2ef8ebcc
SHA256 3769a5cd8724af84e3829fe7d0d7246909fc146e14a47ad41579d58022c4bd71
SHA512 e88ddce3fcceca092463650a78b9b020b209ea439ea7e3fa1965eec2692451ffdc87ed1e78d3a30f445190baf6da6adebada9d528d4a38bfd8bf46997efb688e

memory/1892-137-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/1892-139-0x00000000703D0000-0x000000007041C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 80dcd002613d02cf485e511aa3cff427
SHA1 dc10c38af729c9b18b5840a149c28e65fe8f49bf
SHA256 9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b
SHA512 7fb5cd2886932cab4cf764bed7d3de6feabc434faf90a7d2e28dafb5e1034b546ddf7ba8a1998c7265eacb8b3d6d7ac02a4fe8ce038e3c1333d89337ae5388f1

memory/3460-157-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c244f780c7286821d25b64334e0a5a2c
SHA1 9bdda06c771b894ccb3508dfd69f22515d4ebc0a
SHA256 c4fbb16b2c343d8fb6ae16a7f06ff5590f47a4852c57265e4607b0ee33590a32
SHA512 30cf831aecdb899b811873774aee0246d6563b0870342a292cdab04e50e5021a122d5b143f59c90c471c99706488b9916df1cf3755ef924c620f9c71c919783e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5bcbe2160d2b880b547f636c9a3b8a48
SHA1 37ac41021318320a6f19fc06783b1d429512a1c8
SHA256 1f504d58048b3e862a6bde3e542162f03831b13c41bee72dd3aaaf340d96d831
SHA512 435f1fbbd9e4815c59d1e1c977497945df543b0540d65ffb98e58899e2f8dd7f71a5d1ac7a6b560766fb6f37773c5e8f5a7323631b4899f55220684944d882f1

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fb624a3337c212cd7cf1df1910a7c43e
SHA1 1438dca893dd5c8b0f84c31037025d04cb6824a9
SHA256 872e856e1151ac623a0ce160f5aef619013b8084fa87f0b586b43e5b80783892
SHA512 034ff5041087188cce3c4aceb1010768532ddc3617aac5887314a586e0338f1661bba5f08973816b085eaa38438a73b5d36fa1ac03598dd461501243253f672f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4516-257-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2640-266-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4516-267-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4516-269-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4904-270-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4516-272-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4516-275-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4904-276-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4516-278-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4516-281-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4516-284-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4516-287-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4516-290-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4516-293-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4516-296-0x0000000000400000-0x0000000001DFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 15:53

Reported

2024-04-19 15:56

Platform

win11-20240412-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2548 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2548 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\system32\cmd.exe
PID 2484 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2324 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2484 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\rss\csrss.exe
PID 2484 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\rss\csrss.exe
PID 2484 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe C:\Windows\rss\csrss.exe
PID 1000 wrote to memory of 2560 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 2560 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 2560 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 3932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 3932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 3932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 416 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 416 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 416 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 888 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1000 wrote to memory of 888 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 396 wrote to memory of 3904 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3904 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3904 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3904 wrote to memory of 128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3904 wrote to memory of 128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3904 wrote to memory of 128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe

"C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe

"C:\Users\Admin\AppData\Local\Temp\9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 27407830-780b-4ebd-8977-bfd7400d95e9.uuid.localstats.org udp
US 8.8.8.8:53 server14.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.111:443 server14.localstats.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server14.localstats.org tcp
BG 185.82.216.111:443 server14.localstats.org tcp

Files

memory/2548-1-0x0000000003C40000-0x0000000004047000-memory.dmp

memory/2548-2-0x0000000004050000-0x000000000493B000-memory.dmp

memory/2548-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4792-4-0x0000000002A90000-0x0000000002AC6000-memory.dmp

memory/4792-5-0x0000000074940000-0x00000000750F1000-memory.dmp

memory/4792-6-0x0000000002B10000-0x0000000002B20000-memory.dmp

memory/4792-8-0x0000000002B10000-0x0000000002B20000-memory.dmp

memory/4792-7-0x00000000056B0000-0x0000000005CDA000-memory.dmp

memory/4792-9-0x00000000053C0000-0x00000000053E2000-memory.dmp

memory/4792-10-0x0000000005460000-0x00000000054C6000-memory.dmp

memory/4792-11-0x0000000005540000-0x00000000055A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixrlalys.wcm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4792-20-0x0000000005DE0000-0x0000000006137000-memory.dmp

memory/4792-21-0x0000000006280000-0x000000000629E000-memory.dmp

memory/4792-22-0x0000000006430000-0x000000000647C000-memory.dmp

memory/4792-23-0x00000000066C0000-0x0000000006706000-memory.dmp

memory/4792-24-0x000000007F8A0000-0x000000007F8B0000-memory.dmp

memory/4792-25-0x0000000007730000-0x0000000007764000-memory.dmp

memory/4792-26-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/4792-27-0x0000000070D30000-0x0000000071087000-memory.dmp

memory/4792-36-0x0000000007770000-0x000000000778E000-memory.dmp

memory/4792-37-0x0000000002B10000-0x0000000002B20000-memory.dmp

memory/4792-38-0x0000000007790000-0x0000000007834000-memory.dmp

memory/4792-39-0x0000000007F00000-0x000000000857A000-memory.dmp

memory/4792-40-0x00000000078C0000-0x00000000078DA000-memory.dmp

memory/4792-41-0x0000000007900000-0x000000000790A000-memory.dmp

memory/4792-42-0x0000000007A10000-0x0000000007AA6000-memory.dmp

memory/4792-43-0x0000000007920000-0x0000000007931000-memory.dmp

memory/4792-44-0x0000000007970000-0x000000000797E000-memory.dmp

memory/4792-45-0x0000000007980000-0x0000000007995000-memory.dmp

memory/4792-46-0x00000000079D0000-0x00000000079EA000-memory.dmp

memory/4792-47-0x00000000079F0000-0x00000000079F8000-memory.dmp

memory/4792-50-0x0000000074940000-0x00000000750F1000-memory.dmp

memory/2548-52-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2484-53-0x0000000003BA0000-0x0000000003FA0000-memory.dmp

memory/2548-54-0x0000000003C40000-0x0000000004047000-memory.dmp

memory/2548-55-0x0000000004050000-0x000000000493B000-memory.dmp

memory/2484-56-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1544-57-0x00000000749E0000-0x0000000075191000-memory.dmp

memory/1544-58-0x0000000004800000-0x0000000004810000-memory.dmp

memory/1544-59-0x0000000004800000-0x0000000004810000-memory.dmp

memory/1544-68-0x0000000005850000-0x0000000005BA7000-memory.dmp

memory/1544-69-0x00000000061D0000-0x000000000621C000-memory.dmp

memory/1544-70-0x000000007F2C0000-0x000000007F2D0000-memory.dmp

memory/1544-72-0x0000000070E40000-0x0000000071197000-memory.dmp

memory/1544-71-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/1544-81-0x0000000006F00000-0x0000000006FA4000-memory.dmp

memory/1544-82-0x0000000004800000-0x0000000004810000-memory.dmp

memory/1544-83-0x0000000007240000-0x0000000007251000-memory.dmp

memory/1544-84-0x0000000007290000-0x00000000072A5000-memory.dmp

memory/1544-87-0x00000000749E0000-0x0000000075191000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3480-89-0x00000000749E0000-0x0000000075191000-memory.dmp

memory/3480-90-0x0000000002A60000-0x0000000002A70000-memory.dmp

memory/3480-91-0x0000000002A60000-0x0000000002A70000-memory.dmp

memory/3480-92-0x00000000058C0000-0x0000000005C17000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d175d886e0e98be2f99342392553543c
SHA1 281c8d0a295e530c089d7c4782a0828fe4bac7c7
SHA256 da18e55917f75b116e52fb5fbbdf36e14b6446d2ed8d2a774ddddc65cf2b1b92
SHA512 3f80844c1f863c19312136e12df3f39dcc2322b60137d431fd41bda447fba385d8db9713cd023d884d9254336901d875a0cb3ea7201cc6f16a450101281dd8f5

memory/3480-104-0x0000000070F10000-0x0000000071267000-memory.dmp

memory/3480-103-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/3480-102-0x000000007FD60000-0x000000007FD70000-memory.dmp

memory/3480-113-0x0000000002A60000-0x0000000002A70000-memory.dmp

memory/3480-115-0x00000000749E0000-0x0000000075191000-memory.dmp

memory/2484-116-0x0000000003BA0000-0x0000000003FA0000-memory.dmp

memory/2904-118-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/2904-117-0x00000000749E0000-0x0000000075191000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4d78b5199474149b97ac83b212e4c6f8
SHA1 103ae937602e973b545d1125b54e47f628de21aa
SHA256 f3d19e27d9ce15ab53ab4f624537220bb9c01673e820c5c2e6f606120b091a7b
SHA512 889f9ce3606578488c8fb1cf359cc1829a269fa67362a80b05794bc441b45fba8cfb3082b1b92a3166404e845fd25bbe9bff27d040bcb70c53f4f2795e797a71

memory/2904-129-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/2904-130-0x0000000070F10000-0x0000000071267000-memory.dmp

memory/2904-128-0x000000007FB10000-0x000000007FB20000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 80dcd002613d02cf485e511aa3cff427
SHA1 dc10c38af729c9b18b5840a149c28e65fe8f49bf
SHA256 9fa45bbe1b4cd25678f3f1dbccc3d0d3136846db3c1c31f86edb08d53107733b
SHA512 7fb5cd2886932cab4cf764bed7d3de6feabc434faf90a7d2e28dafb5e1034b546ddf7ba8a1998c7265eacb8b3d6d7ac02a4fe8ce038e3c1333d89337ae5388f1

memory/2484-147-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a50971112df228510b2494f319ca1ef3
SHA1 ec2ea0059a2a9c3abdf4d110b77e43d4231d365a
SHA256 eccbdb9ef54fffbe5259e1ac858ffef3bc5ca420d7c7a1fe18290b79491d137c
SHA512 dfcaeb38e33c44b943e0dd61f6453a950ecc67e41eb420636c426152e3e87e7ffaff87a67b730563f7b4bb1ad4bc3d35e89960964cf93cf05df64e8beca82666

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a15797de742c73d1fac432444931b7ad
SHA1 fd08be1b267a759971213cd27dce6e7dd2811259
SHA256 50810943378d2908f7e92829b015d7b908e134b9d530cf104e871cd604979f26
SHA512 48653f633bd52e12b83e224b0c82d4ce239d329a96929c3c277d3f0b1b2018b4ae86f5c789c44531f176cf15eeeeeddaddc1af4fc78060f96f9f848595629ed5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d9aa34fc3046d3677128483aab12d5c0
SHA1 3b8b4e24784b0b34dd40131ab46762a985813a97
SHA256 0acdd363e3a4fdfd753a7b33dbb7b0283a2425ff5eb0875594800b79b8934d10
SHA512 7247275e7fa5d3949f866e3e7079dd07ad6fc5e1c57250e7ceb137950f54c01d94a9bcf4eb73559f2663c2d664a6d460d4615972399a542377dd1b77a5ff5c8c

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1000-243-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/396-251-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1000-252-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3528-253-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1000-254-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1000-256-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3528-257-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1000-258-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1000-260-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1000-262-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1000-264-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1000-266-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1000-268-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1000-270-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1000-272-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1000-274-0x0000000000400000-0x0000000001DFD000-memory.dmp