Malware Analysis Report

2025-08-05 12:18

Sample ID 240419-x67xraeb4x
Target 3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d
SHA256 3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d

Threat Level: Known bad

The file 3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 19:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 19:29

Reported

2024-04-19 19:31

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\system32\cmd.exe
PID 3792 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\system32\cmd.exe
PID 4608 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4608 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3792 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3792 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\rss\csrss.exe
PID 3792 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\rss\csrss.exe
PID 3792 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\rss\csrss.exe
PID 4652 wrote to memory of 2924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 2924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 2924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 2816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 2816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 2816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 1260 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 1260 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 1260 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 1452 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4652 wrote to memory of 1452 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1692 wrote to memory of 4420 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 4420 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 4420 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4420 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4420 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe

"C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe

"C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 dec1f0a0-19aa-40d3-9bfe-3bae960d8796.uuid.createupdate.org udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server5.createupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.104:443 server5.createupdate.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 208.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BG 185.82.216.104:443 server5.createupdate.org tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:31465 tcp

Files

memory/4472-1-0x0000000003C50000-0x0000000004050000-memory.dmp

memory/4472-2-0x0000000004050000-0x000000000493B000-memory.dmp

memory/4472-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/784-5-0x0000000074850000-0x0000000075000000-memory.dmp

memory/784-4-0x0000000004560000-0x0000000004596000-memory.dmp

memory/784-6-0x0000000004550000-0x0000000004560000-memory.dmp

memory/784-7-0x0000000004BD0000-0x00000000051F8000-memory.dmp

memory/784-8-0x0000000004B40000-0x0000000004B62000-memory.dmp

memory/784-9-0x0000000005370000-0x00000000053D6000-memory.dmp

memory/784-10-0x00000000053E0000-0x0000000005446000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gg1curvl.jqf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/784-20-0x0000000005510000-0x0000000005864000-memory.dmp

memory/784-21-0x0000000005B20000-0x0000000005B3E000-memory.dmp

memory/784-22-0x0000000005B70000-0x0000000005BBC000-memory.dmp

memory/784-23-0x0000000006080000-0x00000000060C4000-memory.dmp

memory/784-24-0x0000000006C40000-0x0000000006CB6000-memory.dmp

memory/784-26-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

memory/784-25-0x0000000007540000-0x0000000007BBA000-memory.dmp

memory/784-27-0x000000007F060000-0x000000007F070000-memory.dmp

memory/784-28-0x00000000070A0000-0x00000000070D2000-memory.dmp

memory/784-29-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/784-40-0x00000000070E0000-0x00000000070FE000-memory.dmp

memory/784-30-0x0000000070AE0000-0x0000000070E34000-memory.dmp

memory/784-41-0x0000000004550000-0x0000000004560000-memory.dmp

memory/784-42-0x0000000007100000-0x00000000071A3000-memory.dmp

memory/784-43-0x00000000071F0000-0x00000000071FA000-memory.dmp

memory/784-44-0x00000000072B0000-0x0000000007346000-memory.dmp

memory/784-45-0x0000000007210000-0x0000000007221000-memory.dmp

memory/784-46-0x0000000007250000-0x000000000725E000-memory.dmp

memory/784-47-0x0000000007260000-0x0000000007274000-memory.dmp

memory/784-48-0x0000000007350000-0x000000000736A000-memory.dmp

memory/784-49-0x00000000072A0000-0x00000000072A8000-memory.dmp

memory/784-52-0x0000000074850000-0x0000000075000000-memory.dmp

memory/3792-54-0x0000000003B40000-0x0000000003F44000-memory.dmp

memory/4472-55-0x0000000003C50000-0x0000000004050000-memory.dmp

memory/3792-56-0x0000000003F50000-0x000000000483B000-memory.dmp

memory/3792-57-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/640-58-0x0000000074850000-0x0000000075000000-memory.dmp

memory/640-59-0x00000000050E0000-0x00000000050F0000-memory.dmp

memory/640-60-0x00000000050E0000-0x00000000050F0000-memory.dmp

memory/640-61-0x0000000005FA0000-0x00000000062F4000-memory.dmp

memory/640-71-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/640-72-0x0000000070E70000-0x00000000711C4000-memory.dmp

memory/640-84-0x000000007FCA0000-0x000000007FCB0000-memory.dmp

memory/640-85-0x00000000050E0000-0x00000000050F0000-memory.dmp

memory/4472-83-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/640-82-0x0000000007770000-0x0000000007813000-memory.dmp

memory/640-86-0x0000000007AA0000-0x0000000007AB1000-memory.dmp

memory/640-87-0x0000000007AF0000-0x0000000007B04000-memory.dmp

memory/640-90-0x0000000074850000-0x0000000075000000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3516-92-0x0000000074850000-0x0000000075000000-memory.dmp

memory/3516-94-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/3516-93-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/3516-104-0x0000000005F10000-0x0000000006264000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 116a3d632cd08a4f0fcf746c46b86061
SHA1 f39ec8458eba73b8580d8155be17f746dd5ec5be
SHA256 ebce888f407ce78e4f13c344f100280b94a9b3a4ba6ac561f57827f88700a51a
SHA512 2196c5de91a0ebfaddd6034263f7d0d55f3273dfae70b752c805220742bc9ec33931743a933be235fa59cdda1de6504908c34f73884acb7a4fca15c773b45796

memory/3516-107-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/3516-108-0x0000000070870000-0x0000000070BC4000-memory.dmp

memory/3516-118-0x000000007F9A0000-0x000000007F9B0000-memory.dmp

memory/3516-119-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/3516-120-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/3516-122-0x0000000074850000-0x0000000075000000-memory.dmp

memory/548-124-0x0000000005060000-0x0000000005070000-memory.dmp

memory/548-126-0x0000000005060000-0x0000000005070000-memory.dmp

memory/3792-125-0x0000000003B40000-0x0000000003F44000-memory.dmp

memory/548-123-0x0000000074850000-0x0000000075000000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 436ad1a83f08bbc9568004706cb9e96c
SHA1 7500a352ee891b6d66a41dc3c562a9e3b03b36ff
SHA256 c6f74ff0ebbd03d643b1be6db1101986f9f3a98f71f17e42e0eb8d6e253b0660
SHA512 c7a7f47923b01e47d60a0cca63ccbe11073388d3690c8ce7c7b1b90600df7ed28d29b53f95f8e93e703a366611f8220662113eceab83d0f6d8025d188e970e75

memory/548-137-0x000000007EF40000-0x000000007EF50000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7a2dc660663cb5e5a7be7c9f54a75d32
SHA1 371a1a0323d026fe98f4e137c77e6ddd36aae7be
SHA256 3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d
SHA512 de9b61dbb88bd841b3f660162142990ec732d5de339118be76bb170e992e39425744e31a313563ee0adbc0dc39483d96e8977ea33b5ab703ea52379a3f2d697b

memory/3792-156-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 878855d6ecbbb47c6043b6c0373a1285
SHA1 f1777bc742d44ea2a1dbcfd4a87e8a3d584f24b2
SHA256 86995b81b439bcc9f265cf8dc7b2a7e431c3efa3fa6524b1a5c2296d1842ee57
SHA512 d152899978054a8ea9764e8425acc411928e3715bf76f7e8c1a4a58ce1884479759d61aa293f76b2b9e7dbe6c27171970e7802aa316dfbcb11a1e0dfe8f4789e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 40ab768febd53d839b04d301ef8917d7
SHA1 2b06cf981423646b2ba2de14cfcbdc833ee31f91
SHA256 1dd219ef970cec567974c1a28ef1031f213233dd0fa4bbb0b140cc13023de517
SHA512 3dc382b0a8e89158cf22080d8edd0410f4b70d2a7a2b9e2b8323f869a59298954558c8d416496d8055ea945912971f329dc6271ab6ed74a8801667d3f4ca31a0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c4a8ab0bdb98718bd6293a3777043a2b
SHA1 c7ea59562e7031ece808a1c2fecf46ded1da4a2a
SHA256 0ecb5644d567c3d77042b5ed2c77d63c89412c6839d60888df15c63c438f8122
SHA512 ee65a3659de8e20eddae2df5064342280dc6ec82177cb5d7d2c46101dade10d99189254ffc677b3bcaddf70fd391e0971a3e40c224745a3eb58fcc36a0017392

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4652-257-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1692-266-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4652-267-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3336-269-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4652-270-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4652-273-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3336-275-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4652-276-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4652-279-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4652-282-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4652-285-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4652-288-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4652-291-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4652-294-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4652-297-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4652-300-0x0000000000400000-0x0000000001E08000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 19:29

Reported

2024-04-19 19:31

Platform

win11-20240412-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1120 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\system32\cmd.exe
PID 840 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\system32\cmd.exe
PID 3988 wrote to memory of 3684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3988 wrote to memory of 3684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 840 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\rss\csrss.exe
PID 840 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\rss\csrss.exe
PID 840 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe C:\Windows\rss\csrss.exe
PID 4628 wrote to memory of 1556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 1556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 1556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 2288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 2288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 2288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 1868 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4628 wrote to memory of 1868 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2268 wrote to memory of 3644 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 3644 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 3644 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3644 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3644 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe

"C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe

"C:\Users\Admin\AppData\Local\Temp\3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1120 -ip 1120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a96414c0-b52a-478d-b858-05948f4cecdb.uuid.createupdate.org udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server13.createupdate.org udp
BG 185.82.216.104:443 server13.createupdate.org tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
US 104.21.94.82:443 carsalessystem.com tcp
IE 52.111.236.23:443 tcp
BG 185.82.216.104:443 server13.createupdate.org tcp
BG 185.82.216.104:443 server13.createupdate.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/1120-1-0x0000000003CA0000-0x00000000040A3000-memory.dmp

memory/1120-2-0x00000000040B0000-0x000000000499B000-memory.dmp

memory/1120-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4848-4-0x0000000002A50000-0x0000000002A86000-memory.dmp

memory/4848-5-0x0000000074A90000-0x0000000075241000-memory.dmp

memory/4848-6-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

memory/4848-7-0x00000000051E0000-0x000000000580A000-memory.dmp

memory/4848-8-0x0000000005030000-0x0000000005052000-memory.dmp

memory/4848-9-0x00000000050D0000-0x0000000005136000-memory.dmp

memory/4848-10-0x0000000005810000-0x0000000005876000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mmsl1shm.ucq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4848-19-0x0000000005A90000-0x0000000005DE7000-memory.dmp

memory/4848-20-0x0000000005EF0000-0x0000000005F0E000-memory.dmp

memory/4848-21-0x0000000005F40000-0x0000000005F8C000-memory.dmp

memory/4848-22-0x0000000006460000-0x00000000064A6000-memory.dmp

memory/4848-26-0x0000000070E80000-0x00000000711D7000-memory.dmp

memory/4848-25-0x0000000070D00000-0x0000000070D4C000-memory.dmp

memory/4848-24-0x0000000007320000-0x0000000007354000-memory.dmp

memory/4848-35-0x0000000007360000-0x000000000737E000-memory.dmp

memory/4848-23-0x000000007F910000-0x000000007F920000-memory.dmp

memory/4848-37-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

memory/4848-36-0x0000000007380000-0x0000000007424000-memory.dmp

memory/4848-39-0x00000000074A0000-0x00000000074BA000-memory.dmp

memory/4848-38-0x0000000007AF0000-0x000000000816A000-memory.dmp

memory/4848-40-0x00000000074E0000-0x00000000074EA000-memory.dmp

memory/4848-41-0x00000000075F0000-0x0000000007686000-memory.dmp

memory/4848-42-0x0000000007500000-0x0000000007511000-memory.dmp

memory/4848-43-0x0000000007550000-0x000000000755E000-memory.dmp

memory/4848-44-0x0000000007560000-0x0000000007575000-memory.dmp

memory/4848-45-0x00000000075B0000-0x00000000075CA000-memory.dmp

memory/4848-46-0x00000000075D0000-0x00000000075D8000-memory.dmp

memory/4848-49-0x0000000074A90000-0x0000000075241000-memory.dmp

memory/840-52-0x0000000003B70000-0x0000000003F78000-memory.dmp

memory/1120-51-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/840-53-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1120-54-0x00000000040B0000-0x000000000499B000-memory.dmp

memory/964-55-0x0000000074B30000-0x00000000752E1000-memory.dmp

memory/964-56-0x0000000005040000-0x0000000005050000-memory.dmp

memory/964-57-0x0000000005040000-0x0000000005050000-memory.dmp

memory/964-66-0x0000000005D90000-0x00000000060E7000-memory.dmp

memory/964-67-0x0000000006250000-0x000000000629C000-memory.dmp

memory/964-69-0x0000000070E10000-0x0000000070E5C000-memory.dmp

memory/964-81-0x0000000005040000-0x0000000005050000-memory.dmp

memory/964-80-0x0000000007410000-0x00000000074B4000-memory.dmp

memory/964-79-0x0000000005040000-0x0000000005050000-memory.dmp

memory/964-70-0x0000000070F90000-0x00000000712E7000-memory.dmp

memory/964-68-0x000000007F480000-0x000000007F490000-memory.dmp

memory/964-82-0x0000000007740000-0x0000000007751000-memory.dmp

memory/964-83-0x0000000007790000-0x00000000077A5000-memory.dmp

memory/964-86-0x0000000074B30000-0x00000000752E1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/1072-88-0x0000000074B30000-0x00000000752E1000-memory.dmp

memory/1072-90-0x00000000053A0000-0x00000000053B0000-memory.dmp

memory/1072-89-0x00000000053A0000-0x00000000053B0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8dc04544d4d7460f70936d385ea3d82e
SHA1 96519ae4fc8c5817313fd4806d6fd2d52e0fd29a
SHA256 258c07bd02e482230b0c508b52650c344ac74e5d1e63700f3e0355d680906ffe
SHA512 1870909c10e0ed431f86e12a83d2f00d43b87005459a7c19fff4d5d5c3029639692be6caf8c991f485e1db0582d482a6d73221963a3be034e4bad4202bff14eb

memory/1072-100-0x000000007F530000-0x000000007F540000-memory.dmp

memory/840-111-0x0000000003B70000-0x0000000003F78000-memory.dmp

memory/1072-102-0x0000000070F90000-0x00000000712E7000-memory.dmp

memory/1072-101-0x0000000070E10000-0x0000000070E5C000-memory.dmp

memory/1072-113-0x00000000053A0000-0x00000000053B0000-memory.dmp

memory/840-112-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1072-115-0x0000000074B30000-0x00000000752E1000-memory.dmp

memory/2792-116-0x0000000074B30000-0x00000000752E1000-memory.dmp

memory/2792-118-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/2792-127-0x0000000006100000-0x0000000006457000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5d715aa3da5312cf542fc9fb3ad6e243
SHA1 7de19d7027fddb4cf4ffd09e7b2877dd5960fc32
SHA256 f33a63ded87eb133d1e2f50e4e9e8509e0d5205f8a36e00ad84c162d8f1c6398
SHA512 ec38c565d87147846475b9b428fa9ad2582c870c124e5813d3f44614fd85477e867776d943aaa09602d2dc2dfa140ca387bdce3ab91d6a5458fcdf5e62428b2a

memory/2792-117-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/2792-130-0x000000007FB50000-0x000000007FB60000-memory.dmp

memory/2792-129-0x0000000070E10000-0x0000000070E5C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7a2dc660663cb5e5a7be7c9f54a75d32
SHA1 371a1a0323d026fe98f4e137c77e6ddd36aae7be
SHA256 3627166bec1e4d4a2064fbcc7f64d3356adf63e67083361af225a7332f3e2f4d
SHA512 de9b61dbb88bd841b3f660162142990ec732d5de339118be76bb170e992e39425744e31a313563ee0adbc0dc39483d96e8977ea33b5ab703ea52379a3f2d697b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7bfc5f7900ef5f5b2bc5199283b352fa
SHA1 fb1798819f221cad72ef483134617807d8df5134
SHA256 aaef208192cb4c2bfe440eb1abb3aeb8c577f7d69035c2b142813a6d0ff578cb
SHA512 d80393dede0f1188bb294e018339834d7365e16a7487a857555c15b208883888b678592f55921d3cf15e62f0b3d34a62590a152b4d7801d85725c38e2b0e1f2c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fe11f23cce5598e8c9b89faa26bd9e14
SHA1 522db5f09e05f51d3152e392a4e48236f32466e7
SHA256 0eb6bd66ac5d0eb0d3e3989a50258789c71ca9f754c7b9de46a9a26cfb9a35ea
SHA512 bd9e2dac0d1f251b1301d5ec729942fa7b71bf2c7e3aa3059db5e0f511a8f66aa54826fd4e7e1933a2d5ff55545b154470a0b4df719b38e982d2cf6d8e7746e6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 73f1010fdd9a6fe8cd7ae592fb19d98e
SHA1 c2bef73ad84395a8e919cfb4de7de66b3206f301
SHA256 22c982e696710aaaacbbca5f50decf87128a8b30786eef4297b6c7f3b9fa209f
SHA512 b0491e8cda4c90e436f443ad2bf206a52a21f2c3889603b64e72fe7059e04192bccb88cdfdc2f6cac4c7c2ad5a8dbdf7ffd36eeb3e981da57bf685034ce8baf9

memory/840-223-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4628-244-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2268-253-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4628-254-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2744-256-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4628-257-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4628-260-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2744-262-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4628-263-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4628-266-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4628-269-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4628-271-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4628-275-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4628-278-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4628-281-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4628-284-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4628-287-0x0000000000400000-0x0000000001E08000-memory.dmp