Malware Analysis Report

2025-08-06 03:26

Sample ID 240420-z8q35aag9x
Target 927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a
SHA256 927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a

Threat Level: Known bad

The file 927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-20 21:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-20 21:23

Reported

2024-04-20 21:26

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3960 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\system32\cmd.exe
PID 2004 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\system32\cmd.exe
PID 1648 wrote to memory of 4192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1648 wrote to memory of 4192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2004 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\rss\csrss.exe
PID 2004 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\rss\csrss.exe
PID 2004 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\rss\csrss.exe
PID 4816 wrote to memory of 1348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 1348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 1348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 3388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 3388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 3388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 208 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 208 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 208 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 1408 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4816 wrote to memory of 1408 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4416 wrote to memory of 3748 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 3748 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 3748 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3748 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3748 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe

"C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe

"C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
NL 23.62.61.187:443 www.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 187.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 43aeadd0-7f80-4681-9101-c8319a5be156.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server14.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
BG 185.82.216.108:443 server14.databaseupgrade.ru tcp
US 8.8.8.8:53 127.210.217.172.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.108:443 server14.databaseupgrade.ru tcp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/3960-1-0x0000000003B70000-0x0000000003F72000-memory.dmp

memory/3960-2-0x0000000003F80000-0x000000000486B000-memory.dmp

memory/3960-3-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/3236-4-0x0000000074880000-0x0000000075030000-memory.dmp

memory/3236-5-0x00000000033A0000-0x00000000033D6000-memory.dmp

memory/3236-6-0x0000000005590000-0x00000000055A0000-memory.dmp

memory/3236-7-0x0000000005590000-0x00000000055A0000-memory.dmp

memory/3236-8-0x0000000005BD0000-0x00000000061F8000-memory.dmp

memory/3236-9-0x00000000059B0000-0x00000000059D2000-memory.dmp

memory/3236-10-0x0000000005B60000-0x0000000005BC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rhja0k3s.dil.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3236-11-0x0000000006200000-0x0000000006266000-memory.dmp

memory/3236-21-0x0000000006580000-0x00000000068D4000-memory.dmp

memory/3236-22-0x0000000006960000-0x000000000697E000-memory.dmp

memory/3236-23-0x0000000006990000-0x00000000069DC000-memory.dmp

memory/3236-24-0x0000000006F30000-0x0000000006F74000-memory.dmp

memory/3236-25-0x0000000007AB0000-0x0000000007B26000-memory.dmp

memory/3236-26-0x00000000083B0000-0x0000000008A2A000-memory.dmp

memory/3236-27-0x0000000007D50000-0x0000000007D6A000-memory.dmp

memory/3236-29-0x000000007FDF0000-0x000000007FE00000-memory.dmp

memory/3236-28-0x0000000007F10000-0x0000000007F42000-memory.dmp

memory/3236-30-0x0000000070720000-0x000000007076C000-memory.dmp

memory/3236-31-0x00000000708A0000-0x0000000070BF4000-memory.dmp

memory/3236-41-0x0000000007F50000-0x0000000007F6E000-memory.dmp

memory/3236-43-0x0000000005590000-0x00000000055A0000-memory.dmp

memory/3236-42-0x0000000007F70000-0x0000000008013000-memory.dmp

memory/3236-44-0x0000000008060000-0x000000000806A000-memory.dmp

memory/3236-45-0x0000000008120000-0x00000000081B6000-memory.dmp

memory/3236-46-0x0000000008080000-0x0000000008091000-memory.dmp

memory/3236-47-0x00000000080C0000-0x00000000080CE000-memory.dmp

memory/3236-48-0x00000000080D0000-0x00000000080E4000-memory.dmp

memory/3236-49-0x00000000081C0000-0x00000000081DA000-memory.dmp

memory/3236-50-0x0000000008110000-0x0000000008118000-memory.dmp

memory/3236-53-0x0000000074880000-0x0000000075030000-memory.dmp

memory/3960-55-0x0000000003B70000-0x0000000003F72000-memory.dmp

memory/2004-56-0x0000000003A70000-0x0000000003E74000-memory.dmp

memory/2004-57-0x0000000003E80000-0x000000000476B000-memory.dmp

memory/2004-58-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/3960-59-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/1948-66-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

memory/1948-65-0x0000000074880000-0x0000000075030000-memory.dmp

memory/1948-67-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

memory/1948-73-0x0000000070720000-0x000000007076C000-memory.dmp

memory/1948-74-0x00000000708A0000-0x0000000070BF4000-memory.dmp

memory/1948-84-0x00000000075D0000-0x0000000007673000-memory.dmp

memory/1948-85-0x000000007F6D0000-0x000000007F6E0000-memory.dmp

memory/1948-86-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

memory/1948-87-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

memory/1948-88-0x00000000078B0000-0x00000000078C1000-memory.dmp

memory/1948-89-0x0000000007900000-0x0000000007914000-memory.dmp

memory/1948-92-0x0000000074880000-0x0000000075030000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1644-94-0x0000000074880000-0x0000000075030000-memory.dmp

memory/1644-95-0x0000000002D60000-0x0000000002D70000-memory.dmp

memory/1644-101-0x0000000005AC0000-0x0000000005E14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 801b6daf71ee77d12ceda0fedc52a591
SHA1 a862b988703c39d76dd6103bf61bada03564b82f
SHA256 8bfb17a81a75f91f30b5187c661aa98280c932e9e9a206d48365e154ea34ff49
SHA512 b00c9e574952a2d8fa6a9adaa2e56a8ce545ab27e2c7cf7ce6c6488fb59d32f6a1e9e3e8da2a5625b2a67043164ab0dd6b860a1efe5fb0e4bca1de0f234de2db

memory/1644-107-0x000000007F3D0000-0x000000007F3E0000-memory.dmp

memory/1644-108-0x0000000070720000-0x000000007076C000-memory.dmp

memory/1644-109-0x0000000070EA0000-0x00000000711F4000-memory.dmp

memory/2004-119-0x0000000003A70000-0x0000000003E74000-memory.dmp

memory/1644-120-0x0000000002D60000-0x0000000002D70000-memory.dmp

memory/1644-122-0x0000000074880000-0x0000000075030000-memory.dmp

memory/2004-123-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4712-134-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/4712-124-0x0000000074880000-0x0000000075030000-memory.dmp

memory/4712-135-0x00000000048B0000-0x00000000048C0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4d2e7d03d312ff5f8987bb9084de0969
SHA1 da04633762536747e2147968057cc202558e21bc
SHA256 6e32623e9e188d80b5de682bc535ee2aaaf5e1a18af8f65453f7e6f7cd85113a
SHA512 130d6af69dc2bc4969890c683aaf944c92bee9755c76ba2c4302085187de64dd4083199e20d931aabe2afbfa655a34e844b7b591fbd35e40d67dfbb610e30113

memory/4712-138-0x0000000070720000-0x000000007076C000-memory.dmp

memory/4712-137-0x000000007F7C0000-0x000000007F7D0000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6685e2156a153adde6c43c864f8ce036
SHA1 3baa2e1b2b84e98a5582d542b36df23fca926d00
SHA256 927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a
SHA512 79981403fbc27ee07c6f5c13d84ba5f327be1569c3adfd00f682e94d61aabd4607e0dc2f116456fcfb525d48becf079ca9e05a4bdbbb784acd3e89aeacdb4466

memory/2004-155-0x0000000000400000-0x0000000001DF9000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d1f238ece06861ead029fcf0464d7ec7
SHA1 4a70587d0204105ee3d9150bf5fdca39f78a87fa
SHA256 b1541f3568b5aa75b411796de2fda49a0c7429c76a8e67d24283b852e2a19e1d
SHA512 5f0be8b63a981461433de254d25374563f5afaf9e5c622d69be27b8c3cbdfe1b652c6a8b41264b9f03f2e4bf82a72a77ea0eb637a1510a4c4b36b09d1fa54dc0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9c6e1503baa310f63ef1bfb2fae717a2
SHA1 a2d7b8b13b7bae804a0b604159a29e4ab3893934
SHA256 2d0e8d36f2efcce89c7aa7d0f60e7789fa30113c0eb571627d1106845244bc6d
SHA512 40ef4eb41c9a41de1e23ffb6bd3863a9b9353d88800ff206bed1062bc36880bf9cdb111ea125c033f78b9297c827f73957b7c6852a7cbff911d3fbb32ec76349

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5b2d2d123030c42c3c5b61707b878a82
SHA1 95fdd40785733054d572edcb2084f06472432a3e
SHA256 f808420e767531005fdeb683f592d06fbda284f791f402f080c42b390c7681d3
SHA512 e69db9e753ddbe92da22b57a337fdbe8fd25a329ef8ec3feed835a21a60091a804ae00edb8f7899c7d4c5bd735fc653394c30e665e083018fde3d6adafa16981

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4816-258-0x0000000000400000-0x0000000001DF9000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4416-266-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4816-268-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4872-269-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4816-271-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4816-274-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4872-275-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4816-277-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4816-280-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4816-283-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4816-286-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4816-289-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4816-292-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4816-295-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4816-298-0x0000000000400000-0x0000000001DF9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-20 21:23

Reported

2024-04-20 21:26

Platform

win11-20240412-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3600 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\system32\cmd.exe
PID 1828 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\system32\cmd.exe
PID 4604 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4604 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1828 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\rss\csrss.exe
PID 1828 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\rss\csrss.exe
PID 1828 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe C:\Windows\rss\csrss.exe
PID 4692 wrote to memory of 1668 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 1668 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 1668 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 2644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 2644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 2644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 4780 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 4780 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 4780 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 1372 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4692 wrote to memory of 1372 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2548 wrote to memory of 4964 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 4964 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 4964 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4964 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4964 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe

"C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe

"C:\Users\Admin\AppData\Local\Temp\927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server16.databaseupgrade.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.108:443 server16.databaseupgrade.ru tcp
BG 185.82.216.108:443 server16.databaseupgrade.ru tcp
N/A 127.0.0.1:31465 tcp

Files

memory/3600-1-0x0000000003DC0000-0x00000000041C1000-memory.dmp

memory/3600-2-0x00000000041D0000-0x0000000004ABB000-memory.dmp

memory/3600-3-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/612-4-0x0000000002720000-0x0000000002756000-memory.dmp

memory/612-5-0x0000000073DF0000-0x00000000745A1000-memory.dmp

memory/612-6-0x0000000002860000-0x0000000002870000-memory.dmp

memory/612-8-0x0000000002860000-0x0000000002870000-memory.dmp

memory/612-7-0x0000000004F00000-0x000000000552A000-memory.dmp

memory/612-9-0x0000000004E00000-0x0000000004E22000-memory.dmp

memory/612-10-0x0000000005530000-0x0000000005596000-memory.dmp

memory/612-11-0x00000000055A0000-0x0000000005606000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z4yvpgur.ypf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/612-20-0x0000000005690000-0x00000000059E7000-memory.dmp

memory/612-21-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

memory/612-22-0x0000000005C10000-0x0000000005C5C000-memory.dmp

memory/612-23-0x0000000006BA0000-0x0000000006BE6000-memory.dmp

memory/612-25-0x0000000006FF0000-0x0000000007024000-memory.dmp

memory/612-27-0x00000000701E0000-0x0000000070537000-memory.dmp

memory/612-26-0x0000000070060000-0x00000000700AC000-memory.dmp

memory/612-37-0x0000000002860000-0x0000000002870000-memory.dmp

memory/612-36-0x0000000007030000-0x000000000704E000-memory.dmp

memory/612-38-0x0000000007050000-0x00000000070F4000-memory.dmp

memory/612-24-0x000000007FB10000-0x000000007FB20000-memory.dmp

memory/612-39-0x00000000077C0000-0x0000000007E3A000-memory.dmp

memory/612-40-0x0000000007170000-0x000000000718A000-memory.dmp

memory/612-41-0x00000000071B0000-0x00000000071BA000-memory.dmp

memory/612-42-0x00000000072C0000-0x0000000007356000-memory.dmp

memory/612-43-0x00000000071E0000-0x00000000071F1000-memory.dmp

memory/612-44-0x0000000007220000-0x000000000722E000-memory.dmp

memory/612-45-0x0000000007230000-0x0000000007245000-memory.dmp

memory/612-46-0x0000000007280000-0x000000000729A000-memory.dmp

memory/612-47-0x00000000072A0000-0x00000000072A8000-memory.dmp

memory/612-50-0x0000000073DF0000-0x00000000745A1000-memory.dmp

memory/1828-52-0x0000000003CA0000-0x00000000040A2000-memory.dmp

memory/1828-53-0x00000000040B0000-0x000000000499B000-memory.dmp

memory/3600-54-0x0000000003DC0000-0x00000000041C1000-memory.dmp

memory/1828-55-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/1884-57-0x0000000004700000-0x0000000004710000-memory.dmp

memory/1884-56-0x0000000004700000-0x0000000004710000-memory.dmp

memory/3600-66-0x00000000041D0000-0x0000000004ABB000-memory.dmp

memory/1884-67-0x0000000073DF0000-0x00000000745A1000-memory.dmp

memory/1884-68-0x000000007F7E0000-0x000000007F7F0000-memory.dmp

memory/1884-69-0x0000000070060000-0x00000000700AC000-memory.dmp

memory/1884-70-0x00000000701E0000-0x0000000070537000-memory.dmp

memory/1884-79-0x0000000006D60000-0x0000000006E04000-memory.dmp

memory/3600-80-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/1884-81-0x0000000004700000-0x0000000004710000-memory.dmp

memory/1884-82-0x0000000004700000-0x0000000004710000-memory.dmp

memory/1884-83-0x0000000007080000-0x0000000007091000-memory.dmp

memory/1884-84-0x00000000070D0000-0x00000000070E5000-memory.dmp

memory/1884-87-0x0000000073DF0000-0x00000000745A1000-memory.dmp

memory/764-89-0x0000000073DF0000-0x00000000745A1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/764-90-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/764-92-0x0000000005E80000-0x00000000061D7000-memory.dmp

memory/764-91-0x0000000004F40000-0x0000000004F50000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a3e16106f18c381ed226040b13b55b5f
SHA1 9531d5d8604b628e4e116d94920a64524b273197
SHA256 f36d857efa02f91fc416a96e4174b2b71ef55d1b7847a41acdff765b92b4a41f
SHA512 5b7cba7fada85ff182f012daec5ade24841bc278920cc889b5fc104cc0df380e1aa623390bd624ed0dbf36a064ff0647e5d9560dba49f70a47c694bba2e9a5df

memory/764-102-0x0000000070060000-0x00000000700AC000-memory.dmp

memory/764-103-0x00000000702B0000-0x0000000070607000-memory.dmp

memory/1828-112-0x0000000003CA0000-0x00000000040A2000-memory.dmp

memory/764-114-0x0000000073DF0000-0x00000000745A1000-memory.dmp

memory/2064-115-0x0000000073DF0000-0x00000000745A1000-memory.dmp

memory/2064-125-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

memory/2064-124-0x0000000005A30000-0x0000000005D87000-memory.dmp

memory/2064-126-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cf987954bcd8ca4ecb389cc0d50ce4dd
SHA1 01552e75303ccef04569803b96196af6cc909d31
SHA256 3d61fe93b0fe3405b4cab4aa7d95a286e90698736ac85be3be37b2412c2a3bf7
SHA512 94d33b66f3218ba9c195a4aeb6ed4b50f7ca87a1bf1b803d5fcd36b60dfae409dc2420f1178e9cece5c19030d4047022dd8355b04c5e44333c55aa2978a1baba

memory/2064-129-0x0000000070060000-0x00000000700AC000-memory.dmp

memory/2064-130-0x0000000070270000-0x00000000705C7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6685e2156a153adde6c43c864f8ce036
SHA1 3baa2e1b2b84e98a5582d542b36df23fca926d00
SHA256 927125edace983867b209ca94ff7c96017c02532c14b08be642d1f7b1d1d691a
SHA512 79981403fbc27ee07c6f5c13d84ba5f327be1569c3adfd00f682e94d61aabd4607e0dc2f116456fcfb525d48becf079ca9e05a4bdbbb784acd3e89aeacdb4466

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3356e72f62c72894e0e5eab1f766e71d
SHA1 1671ba853975ddcb77e15705042f0d3ed6d5af63
SHA256 c99db9d8ae8843bc354da565ddba01dbe0d8ad4af8400652e307e21fff1cc030
SHA512 c45d937d38dc7f6cf9b4248287e252e4026e988815b55a7c7b8ad2d8c0a811ceabe49ea109ea22dcdcdf9da692bc6ac51b893bd84ab533982a4f75b58e06d59c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a136b929d231d4774183f09103058a7d
SHA1 e6beb3146b2be7adb0eaffded7fcf3b464147e2a
SHA256 eb163771f5c7081e101b2d3629cca69c98e5590c3fd5d4750471cdf4ac05a300
SHA512 c8c358c9f279d8e956ff04ca9f03d278cfc6e96359f3d85252a93a2b2d8ea03931e102dc717a5523ba8751be3401eb96b706cb717e665ee55ac2bc84681fa879

memory/1828-188-0x0000000000400000-0x0000000001DF9000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8bde5bbdb3b499be9b6e0f267af49da3
SHA1 b1d7232492876d6ca55f3ebaac4ae226bf2a12fe
SHA256 aecce541f3bc94cdb3246749af077438309b9e468a0476405211a8853034b778
SHA512 1c5a01d6aa07334b9573fef68e12acf68fef60a4ec2371c0a078608ecfbcf35b65e3e80b68593be0f7b229c134a24d1766497a1e8ab09c5be37d443bac5e5515

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4692-239-0x0000000000400000-0x0000000001DF9000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2548-248-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4692-250-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/1716-252-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4692-254-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4692-258-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/1716-260-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4692-262-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4692-266-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4692-270-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4692-274-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4692-278-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4692-282-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4692-286-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4692-290-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4692-294-0x0000000000400000-0x0000000001DF9000-memory.dmp