Malware Analysis Report

2025-08-05 12:17

Sample ID 240419-yl1hlsef7t
Target 348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0
SHA256 348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0

Threat Level: Known bad

The file 348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 19:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 19:53

Reported

2024-04-19 19:55

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 2088 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 2088 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 3016 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\system32\cmd.exe
PID 3016 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\system32\cmd.exe
PID 4008 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4008 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3016 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\rss\csrss.exe
PID 3016 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\rss\csrss.exe
PID 3016 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\rss\csrss.exe
PID 4652 wrote to memory of 1084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 1084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 1084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 2392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 2392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 2392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 3828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 3828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 3828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4652 wrote to memory of 2700 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4652 wrote to memory of 2700 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4424 wrote to memory of 4352 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 4352 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 4352 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4352 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4352 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe

"C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe

"C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2088 -ip 2088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 4abb52d9-72ad-468f-9937-c6bf981b8b38.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server6.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
IT 142.251.27.127:19302 stun3.l.google.com udp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 127.27.251.142.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:31465 tcp

Files

memory/2088-1-0x0000000003D00000-0x0000000004101000-memory.dmp

memory/2088-2-0x0000000004110000-0x00000000049FB000-memory.dmp

memory/2088-3-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/5012-4-0x0000000005230000-0x0000000005266000-memory.dmp

memory/5012-5-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/5012-6-0x0000000005280000-0x0000000005290000-memory.dmp

memory/5012-7-0x0000000005280000-0x0000000005290000-memory.dmp

memory/5012-8-0x00000000058C0000-0x0000000005EE8000-memory.dmp

memory/5012-9-0x0000000005820000-0x0000000005842000-memory.dmp

memory/5012-10-0x0000000005FF0000-0x0000000006056000-memory.dmp

memory/5012-11-0x00000000060D0000-0x0000000006136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bzc4pz1h.jad.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5012-21-0x0000000006200000-0x0000000006554000-memory.dmp

memory/5012-22-0x0000000006800000-0x000000000681E000-memory.dmp

memory/5012-23-0x0000000006830000-0x000000000687C000-memory.dmp

memory/5012-24-0x0000000007970000-0x00000000079B4000-memory.dmp

memory/5012-25-0x0000000007B30000-0x0000000007BA6000-memory.dmp

memory/5012-27-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

memory/5012-26-0x0000000008230000-0x00000000088AA000-memory.dmp

memory/5012-29-0x0000000007D80000-0x0000000007DB2000-memory.dmp

memory/5012-30-0x0000000070760000-0x00000000707AC000-memory.dmp

memory/5012-28-0x000000007F050000-0x000000007F060000-memory.dmp

memory/5012-31-0x0000000070EC0000-0x0000000071214000-memory.dmp

memory/5012-41-0x0000000007DC0000-0x0000000007DDE000-memory.dmp

memory/5012-42-0x0000000005280000-0x0000000005290000-memory.dmp

memory/5012-43-0x0000000007DE0000-0x0000000007E83000-memory.dmp

memory/5012-44-0x0000000007ED0000-0x0000000007EDA000-memory.dmp

memory/5012-45-0x0000000007FE0000-0x0000000008076000-memory.dmp

memory/5012-46-0x0000000007EE0000-0x0000000007EF1000-memory.dmp

memory/5012-48-0x0000000007F40000-0x0000000007F54000-memory.dmp

memory/5012-47-0x0000000007F20000-0x0000000007F2E000-memory.dmp

memory/5012-50-0x0000000007F70000-0x0000000007F78000-memory.dmp

memory/5012-49-0x0000000007F80000-0x0000000007F9A000-memory.dmp

memory/5012-53-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3016-55-0x0000000003B20000-0x0000000003F19000-memory.dmp

memory/2088-56-0x0000000003D00000-0x0000000004101000-memory.dmp

memory/2088-57-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3016-58-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2088-59-0x0000000004110000-0x00000000049FB000-memory.dmp

memory/3120-60-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/3120-62-0x0000000005000000-0x0000000005010000-memory.dmp

memory/3120-61-0x0000000005000000-0x0000000005010000-memory.dmp

memory/3120-68-0x0000000005F40000-0x0000000006294000-memory.dmp

memory/3120-73-0x0000000006550000-0x000000000659C000-memory.dmp

memory/3120-75-0x0000000070860000-0x00000000708AC000-memory.dmp

memory/3120-76-0x0000000071000000-0x0000000071354000-memory.dmp

memory/3120-88-0x0000000005000000-0x0000000005010000-memory.dmp

memory/3120-87-0x0000000005000000-0x0000000005010000-memory.dmp

memory/3120-86-0x0000000007780000-0x0000000007823000-memory.dmp

memory/3120-74-0x000000007EFE0000-0x000000007EFF0000-memory.dmp

memory/3120-89-0x0000000007A90000-0x0000000007AA1000-memory.dmp

memory/3120-90-0x0000000007AE0000-0x0000000007AF4000-memory.dmp

memory/3120-93-0x00000000749E0000-0x0000000075190000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1332-97-0x00000000025E0000-0x00000000025F0000-memory.dmp

memory/1332-96-0x00000000025E0000-0x00000000025F0000-memory.dmp

memory/1332-95-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/1332-107-0x0000000005620000-0x0000000005974000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bf2fab87e25d1870bc2f67f372e0ef11
SHA1 b8789c5431a3c1fafb8df45cf374bd32c0901324
SHA256 954be8ecbc6b28834a996e02dd962c786b905116d6a6bc2316dddb7bafc77679
SHA512 2e3ec6621a13d849b222d853066fdafd227fde151fb81da226751186f5304c18e3ac9c5880ed9ad39855c0c6a5eaebf258a23848b3468fbad92fd3fdf354b9de

memory/1332-110-0x0000000070860000-0x00000000708AC000-memory.dmp

memory/1332-111-0x0000000070A00000-0x0000000070D54000-memory.dmp

memory/1332-122-0x00000000025E0000-0x00000000025F0000-memory.dmp

memory/1332-121-0x00000000025E0000-0x00000000025F0000-memory.dmp

memory/1332-109-0x000000007FCB0000-0x000000007FCC0000-memory.dmp

memory/1332-124-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/1088-126-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/3016-127-0x0000000003B20000-0x0000000003F19000-memory.dmp

memory/1088-125-0x00000000749E0000-0x0000000075190000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a580943b899f6d2e90450d7cf9bbd021
SHA1 bdcd8b579a850446995d248ca97523e2901169ac
SHA256 6c9463623792f9ae146727bbefc92e75403a5391898d0d77132ee3f1a0f0d8a6
SHA512 6b714f73c37acc8bcc777a80456ad647196d11497602706b5694493e90f69da5a574ec51468f67b5ffaa21aa52b13267ba9384f7d4c7b86d99abad3a0ecb7ae8

C:\Windows\rss\csrss.exe

MD5 a10bcc6a85c9c95dc26a9f2ddac2a3d8
SHA1 c31741a560b5e2997484e01caa69bfa55ca0ea62
SHA256 348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0
SHA512 c9ec8459393d43e7bc48b9ee17ef33f8b441d3b27e2c56aa119be714a524c3fa97dac2ecb7395a95a40f16d7dc0c2b44f54748a5efeb58711a72106a3746a153

memory/3016-158-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fdf1212ef45e548e2d910a7adcb6d239
SHA1 539b17607b7790e885acae0dac2d0edc3bed2a72
SHA256 66ea560b98f8bb870a9a189ee400a1e0ea33b83f003c7345fdd471b103f7b651
SHA512 20daf13f00794e221d2585c426c7ab26110402c210c7b1a2b3b1829809f8c0f08588a1add3d6ae8bdc32af963d8f8d6da2dbc19ee1ae3d71c201391de21a7252

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5552b3175e86f531c9fa200a118a3904
SHA1 6ba5ebeb77d211f4105ba41c8b5783e67a752f97
SHA256 85ed7c20abc56a9690a7392c77619a98d1c2b5b72f949fb85f7fcb0015dcf4a4
SHA512 e6dd80c7b92ea6eb961d747c9f77ae7e61d6b6b2b209a424c5327c0df4c5c278d3a69329c0171aaecc51f47cde3407b8f3b97f5d91a8690548b6d1df02e0015e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 92712dc9eb37afa452131c42d00cd0a2
SHA1 26e7a1d56962cbc8891f128effdf719eafb67c20
SHA256 0211d07cca639e97673392070c75d22b25f00bcf45e487385731d39ff219bc46
SHA512 15fca180b2de69ef8dcc9f5962d66b65f50d01b80ef0ff9ed1d696f03f2be11627fd626f996bb780401993d6d22a0290a77090aacf24cb46edbf937330620c0b

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4652-263-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4424-271-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4652-272-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4652-273-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3772-274-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4652-276-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3772-277-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4652-278-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4652-280-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4652-282-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4652-284-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4652-285-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4652-288-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4652-290-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4652-292-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4652-294-0x0000000000400000-0x0000000001E06000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 19:53

Reported

2024-04-19 19:55

Platform

win11-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4340 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4340 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4340 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\system32\cmd.exe
PID 3504 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\system32\cmd.exe
PID 1364 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1364 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3504 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\rss\csrss.exe
PID 3504 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\rss\csrss.exe
PID 3504 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe C:\Windows\rss\csrss.exe
PID 3196 wrote to memory of 720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 1116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 1116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 1116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 1888 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3196 wrote to memory of 1888 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4480 wrote to memory of 1680 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 1680 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 1680 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1680 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1680 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe

"C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe

"C:\Users\Admin\AppData\Local\Temp\348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 98b820f6-693c-4daa-91e0-ac2f956bf765.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server13.databaseupgrade.ru udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server13.databaseupgrade.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.108:443 server13.databaseupgrade.ru tcp
IE 52.111.236.22:443 tcp

Files

memory/4340-1-0x0000000003C90000-0x000000000408F000-memory.dmp

memory/4340-2-0x0000000004090000-0x000000000497B000-memory.dmp

memory/4340-3-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1136-4-0x0000000002310000-0x0000000002346000-memory.dmp

memory/1136-5-0x00000000740A0000-0x0000000074851000-memory.dmp

memory/1136-7-0x0000000004E00000-0x000000000542A000-memory.dmp

memory/1136-6-0x00000000047C0000-0x00000000047D0000-memory.dmp

memory/1136-8-0x00000000047C0000-0x00000000047D0000-memory.dmp

memory/1136-9-0x0000000004C60000-0x0000000004C82000-memory.dmp

memory/1136-10-0x0000000004D00000-0x0000000004D66000-memory.dmp

memory/1136-11-0x0000000005430000-0x0000000005496000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iv31mgt1.5mv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1136-20-0x0000000005620000-0x0000000005977000-memory.dmp

memory/1136-21-0x0000000005B10000-0x0000000005B2E000-memory.dmp

memory/1136-22-0x0000000005B70000-0x0000000005BBC000-memory.dmp

memory/1136-23-0x00000000060A0000-0x00000000060E6000-memory.dmp

memory/1136-24-0x000000007FA80000-0x000000007FA90000-memory.dmp

memory/1136-25-0x0000000006FD0000-0x0000000007004000-memory.dmp

memory/1136-26-0x0000000070310000-0x000000007035C000-memory.dmp

memory/1136-27-0x00000000704A0000-0x00000000707F7000-memory.dmp

memory/1136-36-0x0000000007010000-0x000000000702E000-memory.dmp

memory/1136-37-0x00000000047C0000-0x00000000047D0000-memory.dmp

memory/1136-38-0x0000000007030000-0x00000000070D4000-memory.dmp

memory/1136-39-0x00000000077A0000-0x0000000007E1A000-memory.dmp

memory/1136-40-0x0000000007160000-0x000000000717A000-memory.dmp

memory/1136-41-0x00000000071A0000-0x00000000071AA000-memory.dmp

memory/1136-42-0x00000000072B0000-0x0000000007346000-memory.dmp

memory/1136-43-0x00000000071C0000-0x00000000071D1000-memory.dmp

memory/1136-44-0x0000000007210000-0x000000000721E000-memory.dmp

memory/1136-45-0x0000000007220000-0x0000000007235000-memory.dmp

memory/1136-46-0x0000000007270000-0x000000000728A000-memory.dmp

memory/1136-47-0x0000000007290000-0x0000000007298000-memory.dmp

memory/1136-50-0x00000000740A0000-0x0000000074851000-memory.dmp

memory/4340-51-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3504-53-0x0000000003A00000-0x0000000003E01000-memory.dmp

memory/4340-54-0x0000000004090000-0x000000000497B000-memory.dmp

memory/3504-55-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/832-56-0x0000000074140000-0x00000000748F1000-memory.dmp

memory/832-58-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/832-57-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/832-59-0x0000000005B70000-0x0000000005EC7000-memory.dmp

memory/832-68-0x0000000006620000-0x000000000666C000-memory.dmp

memory/832-71-0x0000000070670000-0x00000000709C7000-memory.dmp

memory/832-70-0x0000000070420000-0x000000007046C000-memory.dmp

memory/832-69-0x000000007FD70000-0x000000007FD80000-memory.dmp

memory/832-80-0x00000000072B0000-0x0000000007354000-memory.dmp

memory/832-81-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/832-82-0x0000000007600000-0x0000000007611000-memory.dmp

memory/832-83-0x0000000007650000-0x0000000007665000-memory.dmp

memory/832-86-0x0000000074140000-0x00000000748F1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/1348-88-0x0000000074140000-0x00000000748F1000-memory.dmp

memory/1348-89-0x0000000004930000-0x0000000004940000-memory.dmp

memory/1348-90-0x0000000004930000-0x0000000004940000-memory.dmp

memory/1348-99-0x00000000056B0000-0x0000000005A07000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9c373bc250f632319a98b8b6b19d8b70
SHA1 5a6488f5213297b0d4ac008b7c39f5ff041ff9d8
SHA256 5359a64321a14255744aff84e733e162af7005026dc7c0f88818de6fd8a69c18
SHA512 a67a790a2307ae2de797164638f2941e19ed10765c3d6f33a35460a46362bca473e0abd12b539454dcb6ca5fbed9da13eb866aaec1003fe4ea8039e040c3d26a

memory/1348-102-0x0000000070420000-0x000000007046C000-memory.dmp

memory/1348-101-0x000000007F5D0000-0x000000007F5E0000-memory.dmp

memory/1348-103-0x00000000705A0000-0x00000000708F7000-memory.dmp

memory/1348-104-0x0000000004930000-0x0000000004940000-memory.dmp

memory/1348-113-0x0000000004930000-0x0000000004940000-memory.dmp

memory/1348-115-0x0000000074140000-0x00000000748F1000-memory.dmp

memory/3936-116-0x0000000074140000-0x00000000748F1000-memory.dmp

memory/3936-118-0x0000000004F20000-0x0000000004F30000-memory.dmp

memory/3504-117-0x0000000003A00000-0x0000000003E01000-memory.dmp

memory/3936-128-0x0000000004F20000-0x0000000004F30000-memory.dmp

memory/3504-127-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c41020dbb922c4bf5121c12f9cc6daa1
SHA1 ab6417bc92fb27c3e05212fcd621caffe4864baf
SHA256 f8e77d71244238696a30320606084247eb5ece65fbd815df33a7e55eb097b475
SHA512 ded35dd859eb8a5e540c6fddcb87420a6122b1db6d19775910f595e19405d001aa9a4f40aadfa771dc2e6ec3585728132b8e6963b517fd1989a98a89d204c832

memory/3936-130-0x000000007FDB0000-0x000000007FDC0000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a10bcc6a85c9c95dc26a9f2ddac2a3d8
SHA1 c31741a560b5e2997484e01caa69bfa55ca0ea62
SHA256 348d3eddfad8f776c09daa27f55b651906a27edb39429de161206b7709387fd0
SHA512 c9ec8459393d43e7bc48b9ee17ef33f8b441d3b27e2c56aa119be714a524c3fa97dac2ecb7395a95a40f16d7dc0c2b44f54748a5efeb58711a72106a3746a153

memory/3504-146-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f1b2bd9531dc3b9ba6bc4e929cb963fb
SHA1 e1c063991d3c6df49d462b1c2557e5b4449ae81a
SHA256 0c21918578ac136cc067e34eaa015030af26cd5dedda221ea8579adebf2def68
SHA512 83f88d2e476f95a29b16ea7a71a54e6b6a17c01de81ebc961082a89f23417eb75a8ac875cb55676203a976c0cfea54088281e53c8076b9b5f72c8439a5b4b81b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d65f9cc694fc1aa77859435b205d0ca7
SHA1 56cb68e706f9b111dab7e7152b0454dc8ee35092
SHA256 43fa2f724ae94f95925bc62e2c1d885153ce41ce5cda9ab2dfb22ed100aeb5a7
SHA512 33ea5ec63a5375a7a5b5aba8212a7d64e2e5a04e2fb62f2027b53073dd87fd1f802b053c21f00b05a2263e4c586975d9294cbb0a9cf26db835461f3a79e5cae9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c7d6de477b926d814e554cf7e0d82712
SHA1 cb3cf7f74d48d7b7671ac5d4bdebd58ee991c829
SHA256 3d71e0385b12dc7badbeac21eea9769a55ea832467b3260fb8cd5c98678db171
SHA512 5831ac09fb1b22c56f9e5b6b76d39de9f7cfea38b2bcc5e359b550881a6454245ebcecb256ee2cf5ee0b8e4793b5cfb50b8a94614731dab7ccc2b78d64a5ba1d

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3196-243-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4480-251-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3196-252-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3196-253-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/416-254-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3196-255-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3196-257-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/416-258-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3196-260-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3196-262-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3196-264-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3196-265-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3196-267-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3196-269-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3196-272-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3196-274-0x0000000000400000-0x0000000001E06000-memory.dmp