Malware Analysis Report

2025-06-16 01:59

Sample ID 240509-vabhkafb83
Target aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc
SHA256 aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc

Threat Level: Known bad

The file aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 16:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 16:46

Reported

2024-05-09 16:49

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3924 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\system32\cmd.exe
PID 2752 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2752 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2384 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\rss\csrss.exe
PID 2384 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\rss\csrss.exe
PID 2384 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\rss\csrss.exe
PID 4364 wrote to memory of 2772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 2772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 2772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 4352 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 4352 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 4352 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3344 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4364 wrote to memory of 3344 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3916 wrote to memory of 1384 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 1384 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 1384 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1384 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1384 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe

"C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe

"C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 2.17.196.105:443 www.bing.com tcp
US 8.8.8.8:53 105.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 b3e51ed5-967b-404b-960b-5da596ed5bd9.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server2.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
BG 185.82.216.108:443 server2.databaseupgrade.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server2.databaseupgrade.ru tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
BG 185.82.216.108:443 server2.databaseupgrade.ru tcp

Files

memory/3924-1-0x0000000003220000-0x0000000003626000-memory.dmp

memory/3924-2-0x0000000004FD0000-0x00000000058BB000-memory.dmp

memory/3924-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4988-4-0x0000000074F5E000-0x0000000074F5F000-memory.dmp

memory/4988-5-0x0000000002D50000-0x0000000002D86000-memory.dmp

memory/4988-6-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/4988-7-0x00000000053D0000-0x00000000059F8000-memory.dmp

memory/4988-8-0x0000000005340000-0x0000000005362000-memory.dmp

memory/4988-12-0x0000000005CA0000-0x0000000005D06000-memory.dmp

memory/4988-10-0x0000000005C30000-0x0000000005C96000-memory.dmp

memory/4988-9-0x0000000074F50000-0x0000000075700000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2kacgehd.r22.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4988-22-0x0000000005D10000-0x0000000006064000-memory.dmp

memory/3924-11-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4988-23-0x0000000006290000-0x00000000062AE000-memory.dmp

memory/4988-24-0x0000000006360000-0x00000000063AC000-memory.dmp

memory/4988-25-0x0000000007220000-0x0000000007264000-memory.dmp

memory/4988-26-0x0000000007430000-0x00000000074A6000-memory.dmp

memory/4988-27-0x0000000007D30000-0x00000000083AA000-memory.dmp

memory/4988-28-0x00000000076D0000-0x00000000076EA000-memory.dmp

memory/4988-30-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

memory/4988-29-0x0000000007880000-0x00000000078B2000-memory.dmp

memory/4988-42-0x00000000078C0000-0x00000000078DE000-memory.dmp

memory/4988-32-0x0000000071570000-0x00000000718C4000-memory.dmp

memory/4988-31-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/4988-43-0x00000000078E0000-0x0000000007983000-memory.dmp

memory/4988-44-0x00000000079D0000-0x00000000079DA000-memory.dmp

memory/4988-45-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/4988-46-0x0000000007A90000-0x0000000007B26000-memory.dmp

memory/4988-47-0x0000000007A10000-0x0000000007A21000-memory.dmp

memory/4988-48-0x0000000007A50000-0x0000000007A5E000-memory.dmp

memory/4988-49-0x0000000007A60000-0x0000000007A74000-memory.dmp

memory/4988-50-0x0000000007B50000-0x0000000007B6A000-memory.dmp

memory/4988-51-0x0000000007B30000-0x0000000007B38000-memory.dmp

memory/4988-54-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/3924-56-0x0000000003220000-0x0000000003626000-memory.dmp

memory/3924-57-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3924-58-0x0000000004FD0000-0x00000000058BB000-memory.dmp

memory/3924-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1012-69-0x0000000005FB0000-0x0000000006304000-memory.dmp

memory/2384-70-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1012-71-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

memory/1012-72-0x0000000070F70000-0x00000000712C4000-memory.dmp

memory/1012-82-0x0000000007600000-0x00000000076A3000-memory.dmp

memory/1012-83-0x0000000007940000-0x0000000007951000-memory.dmp

memory/1012-84-0x0000000007990000-0x00000000079A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4eb7abcd47e1d3039eb7ac36d2da9b3d
SHA1 adf2b1bd1c38d28abb28a58ec9f5ef49294a26c8
SHA256 14798f28f9ced6a5d3545c5831ff4f9b1e82a163bc9a9004066deb60f6250802
SHA512 d32f869e0ce2c39a61811d59cf7ecbf93ba3f65054306c4d889d2d27ded838482b8b55543089fa41cad1aed34b705ebedd78ad97b327eb31ccdbd149577390d0

memory/5052-99-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

memory/5052-100-0x0000000070F70000-0x00000000712C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1f46f815c24b1f7e726f45e09aad074a
SHA1 ca48cb1e9ab4bbcdc6a0cd1641df7eb4718a0dec
SHA256 bb1edce0b5ed06b81c7149d87f929c38837cc3607ce7f6c260f00e8411e1c0f7
SHA512 b105e8fbe9084517de6af984f737f4c8443bd8cacbf83d2e70bacfd0e174cbbac9d70c434687e469ae941bc504ea7396453332568b282bc4d1eb3b1f96a0b6d5

memory/4888-121-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

memory/4888-122-0x0000000071570000-0x00000000718C4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 db9e8e6d1ea4c597ee5923d3e6b39224
SHA1 093ab95e3debe5bef329c930020766fe27f19d6c
SHA256 aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc
SHA512 55dd8fd6c3ce60af0bdc9a503ff86eb57739ff2ce5245a27cfebfca65dc8ac2005f4bf6a155a162ae2ec95eb014941ae2831e7e66e6c8098e962388645c66096

memory/2384-138-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 645b4745e74981ab03c566f9cc9d90bf
SHA1 64c9f484c933003d530f080dd7ce3c7df25265b3
SHA256 e352425df5d3ad0641f5b79f1b8011b7a205678463a096a9a9933415a085dd4e
SHA512 dcf6b5aa4a77c1f639f6f1d7e1c7febdbbc39a5c5e327fc9d9cfd809c94adce633e14f729dfedb731d3c4dd69ddb3e8306bc5ac81e4aa19daaea92b97f6efcd8

memory/2772-152-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

memory/2772-153-0x0000000071570000-0x00000000718C4000-memory.dmp

memory/4364-151-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3752-174-0x0000000006370000-0x00000000066C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 94cd138aa2f522a62b1f21956dafe1e4
SHA1 7e62561d75f7d8b7e43d5863b9dff66eca3c62d6
SHA256 7f9862ca3fc6bbd8a36b4bd8b180a2c11d19d526cecc1ccb1a398474147fca46
SHA512 91d963a6752c62eef6d969acbd5bbbf2a1e972e82dbb0413cf74f720360441aef78f0d52e4db327b9c8880533064bbe48c3157d268c70e2a7c73b88c81054352

memory/3752-176-0x0000000006D70000-0x0000000006DBC000-memory.dmp

memory/3752-177-0x0000000070D10000-0x0000000070D5C000-memory.dmp

memory/3752-178-0x0000000070E90000-0x00000000711E4000-memory.dmp

memory/3752-188-0x0000000007B00000-0x0000000007BA3000-memory.dmp

memory/3752-189-0x0000000007E40000-0x0000000007E51000-memory.dmp

memory/3752-190-0x0000000006160000-0x0000000006174000-memory.dmp

memory/4352-197-0x0000000006140000-0x0000000006494000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a1d050dc900352b681acce291d26b744
SHA1 481f5aa3b5a22345be652101ba99ed145ae05283
SHA256 4e585f72bd57448cbda0669b0ccb88f5270e474225e77dc2b43d38e4dbcf9179
SHA512 f5b0bd2d43341c09eed55b7a81dd8fdc7c7c5c2d9b37ee91c874413826bca78c06528bef6c861e0c4022cff7831844db8740b2707488b7bf11e38a8f17d56b20

memory/4352-204-0x00000000714A0000-0x00000000717F4000-memory.dmp

memory/4352-203-0x0000000070D10000-0x0000000070D5C000-memory.dmp

memory/4364-214-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4364-223-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3916-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3916-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4364-235-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4876-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4364-239-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4364-243-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4876-245-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4364-246-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4364-251-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4364-255-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4364-259-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4364-262-0x0000000000400000-0x0000000002ED6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 16:46

Reported

2024-05-09 16:49

Platform

win11-20240508-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3920 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3920 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\system32\cmd.exe
PID 2888 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2876 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2888 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\rss\csrss.exe
PID 2888 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\rss\csrss.exe
PID 2888 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe C:\Windows\rss\csrss.exe
PID 4016 wrote to memory of 2960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 1980 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 1980 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 1980 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 1492 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4016 wrote to memory of 1492 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3076 wrote to memory of 4436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 4436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 4436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4436 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4436 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe

"C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe

"C:\Users\Admin\AppData\Local\Temp\aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
BE 2.17.196.123:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
BG 185.82.216.108:443 server8.databaseupgrade.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.108:443 server8.databaseupgrade.ru tcp
BG 185.82.216.108:443 server8.databaseupgrade.ru tcp

Files

memory/3920-1-0x0000000003520000-0x0000000003925000-memory.dmp

memory/3920-2-0x00000000050D0000-0x00000000059BB000-memory.dmp

memory/3920-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2260-6-0x000000007447E000-0x000000007447F000-memory.dmp

memory/2260-5-0x0000000004C30000-0x0000000004C66000-memory.dmp

memory/2260-7-0x00000000053C0000-0x00000000059EA000-memory.dmp

memory/2260-8-0x0000000074470000-0x0000000074C21000-memory.dmp

memory/3920-4-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2260-9-0x0000000074470000-0x0000000074C21000-memory.dmp

memory/2260-10-0x00000000051E0000-0x0000000005202000-memory.dmp

memory/2260-11-0x00000000059F0000-0x0000000005A56000-memory.dmp

memory/2260-12-0x0000000005A60000-0x0000000005AC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3zurv2ip.c5y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2260-21-0x0000000005B70000-0x0000000005EC7000-memory.dmp

memory/2260-22-0x00000000060C0000-0x00000000060DE000-memory.dmp

memory/2260-23-0x00000000060F0000-0x000000000613C000-memory.dmp

memory/2260-24-0x0000000006640000-0x0000000006686000-memory.dmp

memory/2260-25-0x00000000074D0000-0x0000000007504000-memory.dmp

memory/2260-26-0x00000000706E0000-0x000000007072C000-memory.dmp

memory/2260-27-0x0000000070870000-0x0000000070BC7000-memory.dmp

memory/2260-36-0x0000000007510000-0x000000000752E000-memory.dmp

memory/2260-37-0x0000000007530000-0x00000000075D4000-memory.dmp

memory/2260-38-0x0000000007CA0000-0x000000000831A000-memory.dmp

memory/2260-39-0x0000000007660000-0x000000000767A000-memory.dmp

memory/2260-40-0x00000000076A0000-0x00000000076AA000-memory.dmp

memory/2260-41-0x00000000077B0000-0x0000000007846000-memory.dmp

memory/2260-42-0x00000000076C0000-0x00000000076D1000-memory.dmp

memory/2260-43-0x0000000007710000-0x000000000771E000-memory.dmp

memory/2260-44-0x0000000007720000-0x0000000007735000-memory.dmp

memory/2260-45-0x0000000007770000-0x000000000778A000-memory.dmp

memory/2260-46-0x0000000007790000-0x0000000007798000-memory.dmp

memory/2260-49-0x0000000074470000-0x0000000074C21000-memory.dmp

memory/3920-51-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3920-52-0x0000000003520000-0x0000000003925000-memory.dmp

memory/3920-54-0x00000000050D0000-0x00000000059BB000-memory.dmp

memory/2888-53-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2776-63-0x0000000005DC0000-0x0000000006117000-memory.dmp

memory/2776-64-0x00000000706E0000-0x000000007072C000-memory.dmp

memory/2776-65-0x0000000070860000-0x0000000070BB7000-memory.dmp

memory/2776-74-0x00000000074B0000-0x0000000007554000-memory.dmp

memory/2776-75-0x00000000077F0000-0x0000000007801000-memory.dmp

memory/2776-76-0x0000000007840000-0x0000000007855000-memory.dmp

memory/3920-80-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 443505ff96ed1b326db1903d10fac875
SHA1 866b5f627c7b12abf14038926233e1ef389ad7b7
SHA256 2cb237d265341103764591b586c2449689040e4864b23b6ac4a859965b72cfad
SHA512 079c3a12c7c101e949732b9cf93335db573f8aa1eeec3751063d993fed36e84790d73fec74222e4788af97897d00761926a7445fc208bfaa004e2da4280efb4c

memory/4436-92-0x0000000070860000-0x0000000070BB7000-memory.dmp

memory/4436-91-0x00000000706E0000-0x000000007072C000-memory.dmp

memory/3476-102-0x0000000005F90000-0x00000000062E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 98699f12d7d66ac4586fb0290b09a478
SHA1 51807c9c2fe5565e848a2f58c0e00d7e1bf9ed8e
SHA256 ec8530f0a8b661875d8d3be9c4e05371df8e2c7c629272285ca004c3db0f133c
SHA512 591c0b1ebf5c78b261cea1685e92e6f41155fcf6cb66c83e86daf86e21e4460d0dd8928df1e2e4b659c1b002b234c5dc52a33321d441ca73bd9a9566d30ad62e

memory/3476-112-0x00000000706E0000-0x000000007072C000-memory.dmp

memory/3476-113-0x0000000070930000-0x0000000070C87000-memory.dmp

memory/2888-122-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 db9e8e6d1ea4c597ee5923d3e6b39224
SHA1 093ab95e3debe5bef329c930020766fe27f19d6c
SHA256 aac8a4511948da02d3e46a9b07d1aa3f82a0d7120cc33291e9519c81e23783bc
SHA512 55dd8fd6c3ce60af0bdc9a503ff86eb57739ff2ce5245a27cfebfca65dc8ac2005f4bf6a155a162ae2ec95eb014941ae2831e7e66e6c8098e962388645c66096

memory/2888-129-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 534945e5f2923b125f42f1baa4a538aa
SHA1 68ffdbc464caf91a97bba4fab24e482a91e8a7f8
SHA256 de4d9de46615057bc19385aec385791d8daa806b685648ce2dca3f35addf618e
SHA512 5913b44713c695c92ee4a773128d069e883a9843338e642e32594ff4f305a62b3a3c4fcef414ec0ced48ad073fa4337763ba012aae92129c60c144c0e01190a4

memory/2960-140-0x00000000706E0000-0x000000007072C000-memory.dmp

memory/2960-141-0x0000000070860000-0x0000000070BB7000-memory.dmp

memory/1980-160-0x0000000005B40000-0x0000000005E97000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9933c7658d519d7b6c15b9d96171e132
SHA1 013cd695ce804c19d7df3a9ac940b42f414e0927
SHA256 fddd8bb031b9712b990019b861f9e2a9cd058f42aad209b571d9b8dfabd44c45
SHA512 c21ce4ac4100e54363a20368998753ef639ba2add1a9829b865944b3d36d0b095e6c0457a579f515a066759e82f2f0cfa10e50606119f4dd35ed6f1fb92bb024

memory/1980-162-0x0000000006090000-0x00000000060DC000-memory.dmp

memory/1980-163-0x0000000070600000-0x000000007064C000-memory.dmp

memory/1980-164-0x0000000070780000-0x0000000070AD7000-memory.dmp

memory/1980-173-0x0000000007230000-0x00000000072D4000-memory.dmp

memory/1980-174-0x00000000075E0000-0x00000000075F1000-memory.dmp

memory/1980-175-0x0000000005990000-0x00000000059A5000-memory.dmp

memory/2932-185-0x0000000005F50000-0x00000000062A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f36d7e4e1fd588f5f0e7eb7c698945e6
SHA1 948ea41a8da3f692f56d7df06c5a5748a6b9a0cf
SHA256 d69565d1910421554dae1e09d9f79dd764c953bc8dc835a9d6b447ea27b930b0
SHA512 c720abe6cccbb216b7e192eaa724c1f1d376bbe67e5bc8b80d0ff95c627fb0ce9e0eb568d49384e2eeb4361beca5f9254143fde2c36b5c39c43f55eb66776c35

memory/2932-187-0x0000000070600000-0x000000007064C000-memory.dmp

memory/2932-188-0x0000000070810000-0x0000000070B67000-memory.dmp

memory/4016-197-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4016-205-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3076-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2376-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3076-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4016-215-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2376-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4016-218-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4016-221-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2376-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4016-224-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4016-227-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4016-230-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4016-233-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4016-236-0x0000000000400000-0x0000000002ED6000-memory.dmp