Malware Analysis Report

2025-08-06 03:33

Sample ID 240419-wnnkqabd74
Target 16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4
SHA256 16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4

Threat Level: Known bad

The file 16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Program crash

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 18:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 18:04

Reported

2024-04-19 18:06

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\system32\cmd.exe
PID 2036 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\system32\cmd.exe
PID 4576 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4576 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2036 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\rss\csrss.exe
PID 2036 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\rss\csrss.exe
PID 2036 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\rss\csrss.exe
PID 1376 wrote to memory of 4880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 4880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 4880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 3628 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 3628 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 3628 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 3048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 3048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 3048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 2428 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1376 wrote to memory of 2428 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3736 wrote to memory of 1236 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 1236 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 1236 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1236 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1236 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe

"C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4776 -ip 4776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 2540

C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe

"C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 33f14b7c-6503-4ac9-8d79-8ed2905a7998.uuid.allstatsin.ru udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server1.allstatsin.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.104:443 server1.allstatsin.ru tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
BG 185.82.216.104:443 server1.allstatsin.ru tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BG 185.82.216.104:443 server1.allstatsin.ru tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.104:443 server1.allstatsin.ru tcp

Files

memory/1348-1-0x0000000003D50000-0x000000000414E000-memory.dmp

memory/1348-2-0x0000000004150000-0x0000000004A3B000-memory.dmp

memory/1348-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4776-4-0x0000000002340000-0x0000000002376000-memory.dmp

memory/4776-5-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4776-7-0x00000000050E0000-0x0000000005708000-memory.dmp

memory/4776-8-0x0000000002390000-0x00000000023A0000-memory.dmp

memory/4776-6-0x0000000002390000-0x00000000023A0000-memory.dmp

memory/4776-9-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mtylfy0p.ggo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4776-10-0x0000000004F90000-0x0000000004FF6000-memory.dmp

memory/4776-16-0x0000000005000000-0x0000000005066000-memory.dmp

memory/4776-21-0x0000000005810000-0x0000000005B64000-memory.dmp

memory/4776-22-0x0000000005C80000-0x0000000005C9E000-memory.dmp

memory/4776-23-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

memory/4776-24-0x00000000061E0000-0x0000000006224000-memory.dmp

memory/4776-25-0x0000000006DB0000-0x0000000006E26000-memory.dmp

memory/4776-26-0x00000000076E0000-0x0000000007D5A000-memory.dmp

memory/4776-27-0x0000000007060000-0x000000000707A000-memory.dmp

memory/4776-28-0x000000007F7B0000-0x000000007F7C0000-memory.dmp

memory/4776-29-0x0000000007200000-0x0000000007232000-memory.dmp

memory/4776-30-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/4776-31-0x0000000070BE0000-0x0000000070F34000-memory.dmp

memory/4776-41-0x0000000007240000-0x000000000725E000-memory.dmp

memory/4776-42-0x0000000007260000-0x0000000007303000-memory.dmp

memory/4776-43-0x0000000007350000-0x000000000735A000-memory.dmp

memory/4776-44-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/2036-46-0x0000000003AD0000-0x0000000003EC9000-memory.dmp

memory/2036-47-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2036-48-0x0000000003ED0000-0x00000000047BB000-memory.dmp

memory/1348-49-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1348-50-0x0000000003D50000-0x000000000414E000-memory.dmp

memory/2556-51-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/2556-52-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/2556-62-0x000000007F820000-0x000000007F830000-memory.dmp

memory/2556-63-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/2556-64-0x0000000070BE0000-0x0000000070F34000-memory.dmp

memory/2556-74-0x00000000078F0000-0x0000000007993000-memory.dmp

memory/2556-75-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/2556-76-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/2556-77-0x0000000007CD0000-0x0000000007D66000-memory.dmp

memory/2556-78-0x0000000007C00000-0x0000000007C11000-memory.dmp

memory/2556-79-0x0000000007C40000-0x0000000007C4E000-memory.dmp

memory/2556-80-0x0000000007C50000-0x0000000007C64000-memory.dmp

memory/2556-81-0x0000000007C90000-0x0000000007CAA000-memory.dmp

memory/2556-82-0x0000000007C80000-0x0000000007C88000-memory.dmp

memory/2556-85-0x0000000074BC0000-0x0000000075370000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4768-87-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4768-88-0x0000000005360000-0x0000000005370000-memory.dmp

memory/4768-91-0x0000000006090000-0x00000000063E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 64f7339b83fc36208ccd4f7118b4c79f
SHA1 ad2449149eb22d2a8c419f37217404c55f0d90d1
SHA256 a6ea11b15336f0d35e0a2601e24df8ee613dbd95788e52f30b0cb8a3fcaad09f
SHA512 77a76f18c2da334a108f6a79ecd9ef86a729c71fd431dd9444c09e50c8318ca9eb2a27323fd00a696b1d8d6b188f5df5166d2616c19863b6e3dda175bb5f0064

memory/4768-100-0x000000007FB00000-0x000000007FB10000-memory.dmp

memory/4768-101-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/4768-102-0x00000000711E0000-0x0000000071534000-memory.dmp

memory/4768-113-0x0000000005360000-0x0000000005370000-memory.dmp

memory/4768-112-0x0000000005360000-0x0000000005370000-memory.dmp

memory/4768-115-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/5004-116-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/5004-118-0x0000000005330000-0x0000000005340000-memory.dmp

memory/2036-117-0x0000000003AD0000-0x0000000003EC9000-memory.dmp

memory/2036-128-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b744f61ead40fd544dac2de28dcd52cd
SHA1 b6b14aa668039641dcb27e188c40e675b2e28a2e
SHA256 a361378897997987386bf43761627a66e8fc754042331a70c5003f5b8b6d19da
SHA512 1a97cc586ca7a4653221401d9eae181c7ec5e2ab26f4f47b48dc77ff31659bf0a2e8dd3d7e628886f9a978ffc91cc9ceb995f8cbe41694942a357d2fd8ef255b

memory/5004-131-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/2036-130-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5004-133-0x000000007F850000-0x000000007F860000-memory.dmp

memory/5004-143-0x0000000005330000-0x0000000005340000-memory.dmp

memory/5004-132-0x0000000070BE0000-0x0000000070F34000-memory.dmp

memory/5004-144-0x0000000005330000-0x0000000005340000-memory.dmp

memory/5004-146-0x0000000074BC0000-0x0000000075370000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9b170885117769e075526c5dda642cf6
SHA1 b59d0a9e51648c63a700a1bf1f40dad956d389cd
SHA256 16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4
SHA512 417886cdf1b37f424a44c00b1689d25945f168b791a309c4e26c1ef3b39f273feeea38437503d5c0e5b5ad61e0fa23eb2315bb7bf62d4a648988beacb9b7be8b

memory/2036-151-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9126905635e22df4d43dfd2c8c68384c
SHA1 e8f6325eacfad669b0147f22d4c148008bf6fe93
SHA256 3e3977e96e6c0c5af14c2b023502a7188f3d146e26531b48faad515e4b2df1de
SHA512 2ea3b50d0cadfcf6a2cca734f76f983395c6ca80534074d11ac4a00703353e498ecbbeb580270734c00eeb66ff90039f707ca28ddafc3f32aa4ce03b0e1c584e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 500bd774462c3a7ff20b7336296594a3
SHA1 08cd4c479da3d4e3941778645fb2ac7fe9a864af
SHA256 709d82e10809af422d21543bd0021210062d3757b22fd04f6ff6d6e8eabc8a6f
SHA512 19f988539015a63b3fc1127e2ffbfd3c244745cd568a0338b58784afa9257d6fc348bee8eddfafe6428668b11df63fcfb4dada7391257f44a1509c98df264ce7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4d7e6338fe6a5bbb6bc6d393370d09eb
SHA1 e3e29f5175d9433d739292c9c1efe39005e9a2db
SHA256 633adeb02138fe6dea8a60cbafd3155711ed5fb8478957aa59d127abe4778ff8
SHA512 72d9b55942b207c7ec296d5fb201f756b80b63765f68caef26334b14fa26247887fdf42c7ce2e61d1c1d2ce1711bf0b27931cf2bac199fb681b259bf55a98721

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1376-250-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3736-259-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1376-261-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5032-262-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1376-264-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1376-267-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5032-268-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1376-269-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1376-273-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1376-276-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1376-279-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1376-282-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1376-285-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1376-288-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1376-291-0x0000000000400000-0x0000000001DFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 18:04

Reported

2024-04-19 18:07

Platform

win11-20240412-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 572 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\system32\cmd.exe
PID 4724 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4724 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2648 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\rss\csrss.exe
PID 2648 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\rss\csrss.exe
PID 2648 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe C:\Windows\rss\csrss.exe
PID 4252 wrote to memory of 4900 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4252 wrote to memory of 4900 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4252 wrote to memory of 4900 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4252 wrote to memory of 1564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4252 wrote to memory of 1564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4252 wrote to memory of 1564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4252 wrote to memory of 1740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4252 wrote to memory of 1740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4252 wrote to memory of 1740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4252 wrote to memory of 4604 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4252 wrote to memory of 4604 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1324 wrote to memory of 5020 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1324 wrote to memory of 5020 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1324 wrote to memory of 5020 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5020 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5020 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe

"C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe

"C:\Users\Admin\AppData\Local\Temp\16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 6f0251b4-cf91-4b07-a584-957b0dc9cad8.uuid.allstatsin.ru udp
US 8.8.8.8:53 server7.allstatsin.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
BE 172.253.120.127:19302 stun1.l.google.com udp
BG 185.82.216.104:443 server7.allstatsin.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 162.159.134.233:443 tcp
BG 185.82.216.104:443 server7.allstatsin.ru tcp
BG 185.82.216.104:443 server7.allstatsin.ru tcp
BG 185.82.216.104:443 server7.allstatsin.ru tcp
N/A 127.0.0.1:31465 tcp

Files

memory/572-1-0x0000000003DA0000-0x000000000419B000-memory.dmp

memory/572-2-0x00000000041A0000-0x0000000004A8B000-memory.dmp

memory/572-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/876-5-0x0000000074630000-0x0000000074DE1000-memory.dmp

memory/876-6-0x00000000053C0000-0x00000000053D0000-memory.dmp

memory/876-4-0x0000000005280000-0x00000000052B6000-memory.dmp

memory/876-7-0x0000000005A00000-0x000000000602A000-memory.dmp

memory/876-8-0x0000000005870000-0x0000000005892000-memory.dmp

memory/876-10-0x0000000006130000-0x0000000006196000-memory.dmp

memory/876-9-0x0000000005910000-0x0000000005976000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ffp3u0q0.qsq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/876-19-0x0000000006220000-0x0000000006577000-memory.dmp

memory/876-20-0x0000000006750000-0x000000000676E000-memory.dmp

memory/876-21-0x0000000006770000-0x00000000067BC000-memory.dmp

memory/876-22-0x0000000006C90000-0x0000000006CD6000-memory.dmp

memory/876-25-0x00000000708A0000-0x00000000708EC000-memory.dmp

memory/876-37-0x00000000053C0000-0x00000000053D0000-memory.dmp

memory/876-36-0x0000000007BC0000-0x0000000007C64000-memory.dmp

memory/876-35-0x0000000007BA0000-0x0000000007BBE000-memory.dmp

memory/876-26-0x0000000070AD0000-0x0000000070E27000-memory.dmp

memory/876-24-0x0000000007B60000-0x0000000007B94000-memory.dmp

memory/876-23-0x000000007F860000-0x000000007F870000-memory.dmp

memory/876-39-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

memory/876-38-0x0000000008330000-0x00000000089AA000-memory.dmp

memory/876-40-0x0000000007D20000-0x0000000007D2A000-memory.dmp

memory/876-41-0x0000000007E30000-0x0000000007EC6000-memory.dmp

memory/876-42-0x0000000007D50000-0x0000000007D61000-memory.dmp

memory/876-43-0x0000000007D90000-0x0000000007D9E000-memory.dmp

memory/876-44-0x0000000007DA0000-0x0000000007DB5000-memory.dmp

memory/876-45-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

memory/876-46-0x0000000007E10000-0x0000000007E18000-memory.dmp

memory/876-49-0x0000000074630000-0x0000000074DE1000-memory.dmp

memory/2648-52-0x00000000040E0000-0x00000000049CB000-memory.dmp

memory/572-53-0x0000000003DA0000-0x000000000419B000-memory.dmp

memory/2648-51-0x0000000003CD0000-0x00000000040D8000-memory.dmp

memory/2648-54-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5008-55-0x0000000004620000-0x0000000004630000-memory.dmp

memory/5008-56-0x0000000004620000-0x0000000004630000-memory.dmp

memory/572-66-0x00000000041A0000-0x0000000004A8B000-memory.dmp

memory/5008-67-0x0000000074630000-0x0000000074DE1000-memory.dmp

memory/5008-57-0x0000000005520000-0x0000000005877000-memory.dmp

memory/5008-70-0x0000000070B10000-0x0000000070E67000-memory.dmp

memory/5008-79-0x0000000006D20000-0x0000000006DC4000-memory.dmp

memory/5008-69-0x00000000708A0000-0x00000000708EC000-memory.dmp

memory/5008-68-0x000000007F5D0000-0x000000007F5E0000-memory.dmp

memory/5008-81-0x0000000004620000-0x0000000004630000-memory.dmp

memory/572-80-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5008-82-0x0000000007050000-0x0000000007061000-memory.dmp

memory/5008-83-0x00000000070A0000-0x00000000070B5000-memory.dmp

memory/5008-86-0x0000000074630000-0x0000000074DE1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/1768-89-0x0000000005640000-0x0000000005650000-memory.dmp

memory/1768-88-0x0000000074630000-0x0000000074DE1000-memory.dmp

memory/1768-91-0x00000000063F0000-0x0000000006747000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8d0752d2837ee65e331ec8c8f0a59f3a
SHA1 1e607289378d81421921af222b8e8a8e84128b83
SHA256 63592d777ff83fe4dcf9f64a01c8a2e7ba5bbe6011d049897c4c69bcf5946f99
SHA512 6d641883c44ff8d979387b92f55b3d8c75fe71e74a00d978c37d1f302c62be658a02c5349d62352d6d7ca05b99c2c569625b9bad9cbdec08c8f61a4d881841eb

memory/1768-90-0x0000000005640000-0x0000000005650000-memory.dmp

memory/1768-102-0x00000000708A0000-0x00000000708EC000-memory.dmp

memory/1768-101-0x000000007F290000-0x000000007F2A0000-memory.dmp

memory/1768-103-0x0000000070AF0000-0x0000000070E47000-memory.dmp

memory/1768-112-0x0000000005640000-0x0000000005650000-memory.dmp

memory/1768-114-0x0000000074630000-0x0000000074DE1000-memory.dmp

memory/2648-116-0x0000000003CD0000-0x00000000040D8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0497481d6b44a498eb95debe4d2939f9
SHA1 d6fcacc15c9dc56ced2420ec24c8d2c03e1b0cb0
SHA256 5fb804757e4e175675b9d397b0ef289b06590c24e52bb51ebe51984d6772fdf9
SHA512 f34b6ba1a5db69f0377b1bb98ab0a9577cd4de6471c16aa16fc31463c182650aa02fc0885bb2a048ce237d01fc0219fdcd221d77bddb190a33eb6fbfc0b56fd6

memory/3180-126-0x0000000005640000-0x0000000005997000-memory.dmp

memory/3180-117-0x0000000002770000-0x0000000002780000-memory.dmp

memory/3180-115-0x0000000074630000-0x0000000074DE1000-memory.dmp

memory/3180-129-0x0000000070A20000-0x0000000070D77000-memory.dmp

memory/3180-128-0x00000000708A0000-0x00000000708EC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9b170885117769e075526c5dda642cf6
SHA1 b59d0a9e51648c63a700a1bf1f40dad956d389cd
SHA256 16a75cc0804bebc88d21a9361d8d054f90831617c8dbe58f964b31df5c550ac4
SHA512 417886cdf1b37f424a44c00b1689d25945f168b791a309c4e26c1ef3b39f273feeea38437503d5c0e5b5ad61e0fa23eb2315bb7bf62d4a648988beacb9b7be8b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a9c91b9f512b3a104e808cc0438f69ef
SHA1 51edc40ff68317991364d03cd01e4c55b462cca0
SHA256 92d7f0f42f99edc77d2bbba45584fa6710ed60249e6ffc9d32827468ade7b2ee
SHA512 ec70f13b6cdaba7eba62ad6b0eda36cc1120d86bc21c11f3c9ca25ca5bf3cae0ab9d7d8ea54de1752043bfdf0f0cb0116fb2102601b86eeff2042d828f651788

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 70847aebb824ecb759b20022de7755bc
SHA1 b78f637b0fb1302436c033c19d144006d6904324
SHA256 1f9546353be85daaee50c105e0ada7f1d5f6a08a0d3179090ed2a1229a8a7c3b
SHA512 dd7eb2cb852c6eacc4601577f0b808bf2f6f42d77bf317db8a9adb9dd8f4ae8546c1e595c763b6efee72e4a85c101b58874d07eb117707f1744c97a06e3c820d

memory/2648-206-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0e8cbd6428719cb693ac39a71b1a2ac4
SHA1 cc4c6e6153ad3f0050e79f5658cbf164652b40ea
SHA256 11a722650af8cae3083adb5a2dafd5ab7cb5523d9ef80a28a02da4bc506708e8
SHA512 53d076415966a87fa4f6ea7c08b77ab86f19a3c51ad7d04298e1f1853b377d28e1f7237bbb707f28d33f95b4975498f666bf3caf5d95409c264d1c41b87b435d

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4252-241-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1324-249-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4252-252-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2860-254-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4252-256-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4252-260-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2860-262-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4252-264-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4252-268-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4252-272-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4252-276-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4252-280-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4252-284-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4252-288-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4252-292-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4252-296-0x0000000000400000-0x0000000001DFD000-memory.dmp