Malware Analysis Report

2025-08-05 12:18

Sample ID 240419-yl78fsef7z
Target 90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d
SHA256 90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d

Threat Level: Known bad

The file 90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 19:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 19:53

Reported

2024-04-19 19:56

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4116 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\system32\cmd.exe
PID 64 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\system32\cmd.exe
PID 4596 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4596 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 64 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\rss\csrss.exe
PID 64 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\rss\csrss.exe
PID 64 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\rss\csrss.exe
PID 3040 wrote to memory of 3176 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 3176 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 3176 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 1752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 1752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 1752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 1960 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3040 wrote to memory of 1960 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2376 wrote to memory of 616 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 616 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 616 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 616 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 616 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 616 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe

"C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe

"C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 492c185f-fad9-40c7-b3b6-6601964386a6.uuid.theupdatetime.org udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server4.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server4.theupdatetime.org tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 38.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.108:443 server4.theupdatetime.org tcp
N/A 127.0.0.1:31465 tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/4116-1-0x0000000003C40000-0x000000000403D000-memory.dmp

memory/4116-2-0x0000000004040000-0x000000000492B000-memory.dmp

memory/4116-3-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4104-4-0x0000000002700000-0x0000000002736000-memory.dmp

memory/4104-5-0x0000000074980000-0x0000000075130000-memory.dmp

memory/4104-6-0x0000000004880000-0x0000000004890000-memory.dmp

memory/4104-7-0x0000000004880000-0x0000000004890000-memory.dmp

memory/4104-8-0x0000000004EC0000-0x00000000054E8000-memory.dmp

memory/4104-9-0x0000000004E00000-0x0000000004E22000-memory.dmp

memory/4104-10-0x00000000054F0000-0x0000000005556000-memory.dmp

memory/4104-11-0x0000000005560000-0x00000000055C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ur4z1e0u.sql.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4104-21-0x0000000005690000-0x00000000059E4000-memory.dmp

memory/4104-22-0x0000000005CE0000-0x0000000005CFE000-memory.dmp

memory/4104-23-0x0000000005D80000-0x0000000005DCC000-memory.dmp

memory/4104-24-0x0000000006290000-0x00000000062D4000-memory.dmp

memory/4104-25-0x0000000007010000-0x0000000007086000-memory.dmp

memory/4104-26-0x0000000007710000-0x0000000007D8A000-memory.dmp

memory/4104-27-0x00000000070B0000-0x00000000070CA000-memory.dmp

memory/4104-28-0x000000007F110000-0x000000007F120000-memory.dmp

memory/4104-29-0x0000000007260000-0x0000000007292000-memory.dmp

memory/4104-30-0x0000000070820000-0x000000007086C000-memory.dmp

memory/4104-31-0x0000000070FC0000-0x0000000071314000-memory.dmp

memory/4104-41-0x00000000072A0000-0x00000000072BE000-memory.dmp

memory/4104-42-0x0000000004880000-0x0000000004890000-memory.dmp

memory/4104-43-0x00000000072C0000-0x0000000007363000-memory.dmp

memory/4104-44-0x00000000073B0000-0x00000000073BA000-memory.dmp

memory/4104-45-0x00000000074C0000-0x0000000007556000-memory.dmp

memory/4104-46-0x00000000073C0000-0x00000000073D1000-memory.dmp

memory/4104-47-0x0000000007400000-0x000000000740E000-memory.dmp

memory/4104-48-0x0000000007420000-0x0000000007434000-memory.dmp

memory/4104-49-0x0000000007460000-0x000000000747A000-memory.dmp

memory/4104-50-0x0000000007450000-0x0000000007458000-memory.dmp

memory/4104-53-0x0000000074980000-0x0000000075130000-memory.dmp

memory/4116-54-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4116-56-0x0000000004040000-0x000000000492B000-memory.dmp

memory/64-57-0x0000000003AE0000-0x0000000003EE0000-memory.dmp

memory/64-58-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3176-61-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/3176-59-0x0000000074A20000-0x00000000751D0000-memory.dmp

memory/3176-60-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/3176-71-0x00000000059C0000-0x0000000005D14000-memory.dmp

memory/3176-72-0x0000000006060000-0x00000000060AC000-memory.dmp

memory/3176-74-0x0000000070920000-0x000000007096C000-memory.dmp

memory/3176-73-0x000000007F8E0000-0x000000007F8F0000-memory.dmp

memory/3176-75-0x00000000710C0000-0x0000000071414000-memory.dmp

memory/3176-86-0x00000000071F0000-0x0000000007293000-memory.dmp

memory/3176-85-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/3176-87-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/3176-88-0x0000000007510000-0x0000000007521000-memory.dmp

memory/3176-89-0x0000000007560000-0x0000000007574000-memory.dmp

memory/3176-92-0x0000000074A20000-0x00000000751D0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2812-94-0x0000000074A20000-0x00000000751D0000-memory.dmp

memory/2812-95-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/2812-96-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 35088858948dfe2bedfdb1e1dbb058cc
SHA1 275ba66a2fa0a054ce59e8a84c901dc8fc2835c1
SHA256 75ef30601c1b2213d4351331df067d8e6dabf5b3e739155d8f0992edd35fbaa0
SHA512 aecd86bb4f69d1e7eb41f864a517214c96da6d2d7144701171827c64f50eda8237a09fee13a70777894ae60c30783beb74542c500bcbeb0ad51d1c51a73403c0

memory/2812-108-0x0000000070920000-0x000000007096C000-memory.dmp

memory/2812-107-0x000000007F480000-0x000000007F490000-memory.dmp

memory/2812-109-0x00000000710C0000-0x0000000071414000-memory.dmp

memory/64-119-0x0000000003AE0000-0x0000000003EE0000-memory.dmp

memory/2812-120-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/2812-122-0x0000000074A20000-0x00000000751D0000-memory.dmp

memory/1620-123-0x0000000074A20000-0x00000000751D0000-memory.dmp

memory/1620-125-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

memory/1620-124-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7529ce933adaf94cb0e07d4d93bbfb3d
SHA1 9f43d33925ac65bca310b012278bfda9ff62c2a8
SHA256 ef8b3f60364d4439b32db5451fc83bdb8a163aa2f5dffa648c0397edff2b9b8a
SHA512 ec0d8d27e68b49aea9c1e479c9e296335ee74caca37e0caed5415a5b504bd9325b5d8e3970a474f4995fe660eb4f372f957ac3f260f8260e8d8f7d28cf6c10f3

memory/1620-137-0x000000007EF70000-0x000000007EF80000-memory.dmp

memory/1620-136-0x0000000070920000-0x000000007096C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b12999ce98d04ba3116fbaf4ac1336e3
SHA1 3124dacffabb6cc3b5db8949fe247d8a5f9ebe13
SHA256 90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d
SHA512 a43f2e18cc9842334e5ecd9b1a7ef2a50bf06fc0db00b4f4fd87d96d196378bde3efba3cb5a5a39805cea9c1959b0ce10f203ffdea7dd279fefd1333be1d7ab8

memory/64-159-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ce6ce1d196a4c08ba27155c099fb16c1
SHA1 42b0f8c8f9d07c0fa61775cb1d37686261627ce2
SHA256 cfe85c2d505b65d89f9de662bdbac4f84db37b92c72e2d1f5c0975fee60af329
SHA512 c462832788ce1c6ce2c1b20ac329820a2c570067fbe2c410539796d9b356961a55990bcd9f88ff0289b6796410d1de65fbc8fc228a3c4b2b045ac6cc1ba6051b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d2644484bf88a401ce77cb944b040437
SHA1 3fb0fe86e887e84198abfded22e4a0ff033de0f1
SHA256 014f409344509422cb45cf18745045cf576d962b843273b48d1958c6a76e458b
SHA512 fbe21b38c43887eaff6415f311b40c8899f19b27727b44da0011dc4f7ce08c220c61db58344ea0983f2825e50b1eb6f77f763fcff61f8a4f6a34f9dc11a4058d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d4ee6febb8a310823c45594a0bb369f1
SHA1 37962468194a39234b9af88c578c592a9af8f99c
SHA256 e19b709ed4a21b25096293beae076f2c5cd9cfefd7dd865f85ea2ea61996f128
SHA512 6db67db64dd7c6bc2974c312ede6409fa6b88225793f371a6c83a8231ad1625d056411ee22d7ec239def69d8baf9092763c524f8c56b85e69fc0fb7ee7399e29

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3040-261-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2376-269-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3040-270-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3692-271-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3040-272-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3040-274-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3692-275-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3040-276-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3040-278-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3040-280-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3040-282-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3040-284-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3040-286-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3040-288-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3040-290-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3040-292-0x0000000000400000-0x0000000001E06000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 19:53

Reported

2024-04-19 19:56

Platform

win11-20240412-en

Max time kernel

149s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1900 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1900 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\system32\cmd.exe
PID 4272 wrote to memory of 1264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4272 wrote to memory of 1264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 400 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\rss\csrss.exe
PID 400 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\rss\csrss.exe
PID 400 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe C:\Windows\rss\csrss.exe
PID 948 wrote to memory of 3908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 3908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 3908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 3488 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 3488 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 3488 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 2088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 2088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 2088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 232 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 948 wrote to memory of 232 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4072 wrote to memory of 5032 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4072 wrote to memory of 5032 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4072 wrote to memory of 5032 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5032 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5032 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5032 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe

"C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe

"C:\Users\Admin\AppData\Local\Temp\90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 400 -ip 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 079b9445-1741-4623-8256-078f25e25082.uuid.theupdatetime.org udp
US 8.8.8.8:53 server16.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.108:443 server16.theupdatetime.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.108:443 server16.theupdatetime.org tcp

Files

memory/1900-1-0x0000000003CB0000-0x00000000040A9000-memory.dmp

memory/1900-2-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1900-3-0x00000000040B0000-0x000000000499B000-memory.dmp

memory/1108-5-0x0000000074A40000-0x00000000751F1000-memory.dmp

memory/1108-4-0x0000000003150000-0x0000000003186000-memory.dmp

memory/1108-6-0x0000000003100000-0x0000000003110000-memory.dmp

memory/1108-7-0x0000000005820000-0x0000000005E4A000-memory.dmp

memory/1108-8-0x0000000003100000-0x0000000003110000-memory.dmp

memory/1108-9-0x0000000005710000-0x0000000005732000-memory.dmp

memory/1108-10-0x00000000057B0000-0x0000000005816000-memory.dmp

memory/1108-11-0x0000000005EC0000-0x0000000005F26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zhevhhxn.3zo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1108-20-0x00000000060B0000-0x0000000006407000-memory.dmp

memory/1108-21-0x00000000065D0000-0x00000000065EE000-memory.dmp

memory/1108-22-0x0000000006610000-0x000000000665C000-memory.dmp

memory/1108-23-0x00000000075F0000-0x0000000007636000-memory.dmp

memory/1108-25-0x000000007F9A0000-0x000000007F9B0000-memory.dmp

memory/1108-24-0x0000000007A80000-0x0000000007AB4000-memory.dmp

memory/1108-26-0x0000000070CB0000-0x0000000070CFC000-memory.dmp

memory/1108-27-0x0000000070E30000-0x0000000071187000-memory.dmp

memory/1108-36-0x0000000007AC0000-0x0000000007ADE000-memory.dmp

memory/1108-38-0x0000000003100000-0x0000000003110000-memory.dmp

memory/1108-37-0x0000000007AE0000-0x0000000007B84000-memory.dmp

memory/1108-39-0x0000000008250000-0x00000000088CA000-memory.dmp

memory/1108-40-0x0000000007C10000-0x0000000007C2A000-memory.dmp

memory/1108-41-0x0000000007C50000-0x0000000007C5A000-memory.dmp

memory/1108-42-0x0000000007D60000-0x0000000007DF6000-memory.dmp

memory/1108-43-0x0000000007C70000-0x0000000007C81000-memory.dmp

memory/1108-44-0x0000000007CC0000-0x0000000007CCE000-memory.dmp

memory/1108-45-0x0000000007CD0000-0x0000000007CE5000-memory.dmp

memory/1108-46-0x0000000007D20000-0x0000000007D3A000-memory.dmp

memory/1108-47-0x0000000007D40000-0x0000000007D48000-memory.dmp

memory/1108-50-0x0000000074A40000-0x00000000751F1000-memory.dmp

memory/400-52-0x0000000003BF0000-0x0000000003FF7000-memory.dmp

memory/400-54-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1900-53-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1512-55-0x0000000074A40000-0x00000000751F1000-memory.dmp

memory/1512-56-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

memory/1512-65-0x0000000005BA0000-0x0000000005EF7000-memory.dmp

memory/1512-66-0x0000000006510000-0x000000000655C000-memory.dmp

memory/1512-68-0x0000000070DA0000-0x0000000070DEC000-memory.dmp

memory/1512-67-0x000000007F4C0000-0x000000007F4D0000-memory.dmp

memory/1512-69-0x0000000070F40000-0x0000000071297000-memory.dmp

memory/1512-78-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

memory/1512-80-0x0000000007230000-0x00000000072D4000-memory.dmp

memory/1512-79-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

memory/1512-81-0x0000000007510000-0x0000000007521000-memory.dmp

memory/1512-82-0x0000000007560000-0x0000000007575000-memory.dmp

memory/1512-85-0x0000000074A40000-0x00000000751F1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/772-88-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/772-87-0x0000000074A40000-0x00000000751F1000-memory.dmp

memory/772-89-0x0000000005B80000-0x0000000005ED7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 606f1157e920e9bdebfd8d92e6d3698f
SHA1 58774fdfc85f3acde2259ff9c16dcc072bd0e434
SHA256 73a2f250c18a7fbe86cdf6e3b726797cab0e13e73ead67b8b77733317f087889
SHA512 26a0c50d37c7f722f6af1b87e6019317cd8660310b1b6d4dcaaf58b25c3d1355e057d8f802a5fde48d992acfc67a4221287cc979a5681fef2a1f623133c10742

memory/772-99-0x0000000006670000-0x00000000066BC000-memory.dmp

memory/772-100-0x000000007F450000-0x000000007F460000-memory.dmp

memory/772-101-0x0000000070DC0000-0x0000000070E0C000-memory.dmp

memory/772-102-0x0000000071000000-0x0000000071357000-memory.dmp

memory/772-112-0x0000000074A40000-0x00000000751F1000-memory.dmp

memory/1764-113-0x0000000074A40000-0x00000000751F1000-memory.dmp

memory/1764-114-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/1764-115-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 991b43c4587463686999a0766ce2debc
SHA1 f40f97f825397f09ed52d3b3621214bc973bea5e
SHA256 ab62845e36defae0ef5a0849f589b73327c58c569d67ffafc17e39fd8fb372c1
SHA512 2975ad6f52509e02ab8d02ec1f132cf3e75e8f7afec2c49261da6b250b09a79cccf78b11bd5737c87e958f1b7cc4e017eef7e8616309228766650d1be2f020cd

memory/400-125-0x0000000003BF0000-0x0000000003FF7000-memory.dmp

memory/1764-127-0x0000000070DC0000-0x0000000070E0C000-memory.dmp

memory/1764-126-0x000000007FB10000-0x000000007FB20000-memory.dmp

memory/1764-128-0x0000000070F40000-0x0000000071297000-memory.dmp

memory/400-137-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1764-138-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b12999ce98d04ba3116fbaf4ac1336e3
SHA1 3124dacffabb6cc3b5db8949fe247d8a5f9ebe13
SHA256 90babd93c575e9562e7bd009f7574a0858e40ddd3ef07dc119f58364d994d38d
SHA512 a43f2e18cc9842334e5ecd9b1a7ef2a50bf06fc0db00b4f4fd87d96d196378bde3efba3cb5a5a39805cea9c1959b0ce10f203ffdea7dd279fefd1333be1d7ab8

memory/400-147-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2bd1fb64fcea7472de64eb91fc81b454
SHA1 1b4ca9331a5427692213cc177d5c9b145d2102e1
SHA256 fbd5edb1532d495b590a4f0c9e7bc673c16b542ecc43291c1db1823f094a8ae8
SHA512 b1944d7df5c3c302b696e712181e45cb42cfd83654bbe06b06db264484ce93fc2c3577c6faaea3fec0d54bc6076be369350217fefb2e26848c54b4a98b0da83f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 16ab025773d273e70fb1778380fe8b8e
SHA1 cda35c7cfd42915cdce750c54ff34634a98cf6db
SHA256 6136b53ad8c57122a3fbdb3afe9660141e2685038ce68540ac2cbb9255322553
SHA512 98cdd11b313354f9cc2c013625eadabb7d18ba2789129cc98ad591dd7a12084af3fe27706ff191f7b940f8a49d500fdc46c03a745d8ae15ab72370302064ecb2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8779dfc80a55ac02290ce787f86c0d6c
SHA1 f8201c14803b3d2c265fc11246d78eca99236e49
SHA256 4ece48dbd3b40a391134e1b178cd38104748f4156cc5af20e682ebd88e76a1df
SHA512 51679de8091cc2ecfcdd9f88b55b00473b619a5158dc600dcc5be927e8133f8c7f1311e47314af459d757b83fc76787033307c1f5abf63f1d183c248cb4c72f4

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/948-243-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/948-247-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4072-251-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/948-252-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/672-253-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/948-254-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/948-256-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/672-257-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/948-258-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/948-260-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/948-262-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/948-264-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/948-266-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/948-268-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/948-270-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/948-272-0x0000000000400000-0x0000000001E06000-memory.dmp