Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-vae6racb4w
Target a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9
SHA256 a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9

Threat Level: Known bad

The file a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 16:46

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 16:46

Reported

2024-05-09 16:49

Platform

win11-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4972 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\system32\cmd.exe
PID 4668 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\system32\cmd.exe
PID 1844 wrote to memory of 4228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1844 wrote to memory of 4228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4668 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\rss\csrss.exe
PID 4668 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\rss\csrss.exe
PID 4668 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\rss\csrss.exe
PID 3720 wrote to memory of 4636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 4636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 4636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 5064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 5064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 5064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 3252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 3252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 3252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 2884 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3720 wrote to memory of 2884 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4648 wrote to memory of 5104 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 5104 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 5104 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5104 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5104 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe

"C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe

"C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 65aab081-c33b-44f1-9c8d-11e8fc743a45.uuid.statscreate.org udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server15.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.96:443 server15.statscreate.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server15.statscreate.org tcp
BG 185.82.216.96:443 server15.statscreate.org tcp
BG 185.82.216.96:443 server15.statscreate.org tcp

Files

memory/4972-1-0x0000000003210000-0x0000000003617000-memory.dmp

memory/4972-2-0x0000000005000000-0x00000000058EB000-memory.dmp

memory/4972-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4564-4-0x000000007406E000-0x000000007406F000-memory.dmp

memory/4564-5-0x0000000004A50000-0x0000000004A86000-memory.dmp

memory/4564-6-0x0000000074060000-0x0000000074811000-memory.dmp

memory/4564-7-0x0000000005230000-0x000000000585A000-memory.dmp

memory/4564-9-0x0000000074060000-0x0000000074811000-memory.dmp

memory/4564-11-0x00000000059C0000-0x0000000005A26000-memory.dmp

memory/4564-10-0x0000000005860000-0x00000000058C6000-memory.dmp

memory/4564-8-0x0000000005150000-0x0000000005172000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kw41u1ex.aiv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4564-20-0x0000000005A30000-0x0000000005D87000-memory.dmp

memory/4564-21-0x0000000005F10000-0x0000000005F2E000-memory.dmp

memory/4564-22-0x0000000005F80000-0x0000000005FCC000-memory.dmp

memory/4564-23-0x0000000006490000-0x00000000064D6000-memory.dmp

memory/4564-25-0x00000000702D0000-0x000000007031C000-memory.dmp

memory/4564-36-0x0000000007370000-0x0000000007414000-memory.dmp

memory/4564-35-0x0000000007350000-0x000000000736E000-memory.dmp

memory/4564-26-0x00000000704A0000-0x00000000707F7000-memory.dmp

memory/4564-24-0x0000000007310000-0x0000000007344000-memory.dmp

memory/4564-38-0x00000000074A0000-0x00000000074BA000-memory.dmp

memory/4564-37-0x0000000007AE0000-0x000000000815A000-memory.dmp

memory/4564-39-0x00000000074E0000-0x00000000074EA000-memory.dmp

memory/4564-40-0x00000000075F0000-0x0000000007686000-memory.dmp

memory/4564-41-0x0000000007500000-0x0000000007511000-memory.dmp

memory/4564-42-0x0000000007550000-0x000000000755E000-memory.dmp

memory/4564-43-0x0000000007560000-0x0000000007575000-memory.dmp

memory/4564-44-0x00000000075B0000-0x00000000075CA000-memory.dmp

memory/4564-45-0x00000000075D0000-0x00000000075D8000-memory.dmp

memory/4564-48-0x0000000074060000-0x0000000074811000-memory.dmp

memory/4972-50-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2424-56-0x0000000006240000-0x0000000006597000-memory.dmp

memory/4972-60-0x0000000003210000-0x0000000003617000-memory.dmp

memory/2424-61-0x00000000702D0000-0x000000007031C000-memory.dmp

memory/2424-62-0x0000000070520000-0x0000000070877000-memory.dmp

memory/2424-71-0x0000000007940000-0x00000000079E4000-memory.dmp

memory/2424-72-0x0000000007C90000-0x0000000007CA1000-memory.dmp

memory/2424-73-0x0000000007CE0000-0x0000000007CF5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/1944-85-0x0000000005A30000-0x0000000005D87000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 250fd13e5b00a40420217e8068640e3d
SHA1 fe9d9fa1e649ce4416070844bbe0ca69a8aa148a
SHA256 08df9c11edd883a64ef4f43bd3295b6d4bb04769a809d190393becf6433e02dd
SHA512 779409b6de44da7c70f92713f16b4d308828e19a63226e6a44ab2d0ee3c356b3fdf9059cdf76e48e57a62ab18201a58e7e2a8fa13f83c208bb766682eac13737

memory/1944-87-0x00000000702D0000-0x000000007031C000-memory.dmp

memory/1944-88-0x0000000070470000-0x00000000707C7000-memory.dmp

memory/4972-97-0x0000000005000000-0x00000000058EB000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b3722091aee00aa6602d443924c497b4
SHA1 62e68f997a0b338f3b530a505660f9d241ff8554
SHA256 1d3ec0e20a1b44b54cb7532991c7e59c9ea1424efcfc98f41cd0d95c3cbf3e09
SHA512 44ab4ff5cadc18b9aca2aec13fda3a947c823ed488b3743a96bfe7b520180f0caf11550f78519c6bf1163d8f552cd8101201df6416d8d28e1345bee12eb93934

memory/2448-108-0x00000000702D0000-0x000000007031C000-memory.dmp

memory/2448-109-0x0000000070520000-0x0000000070877000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 4150846e48cb332ce565384851fc6e26
SHA1 e0fc677654f4dcfad0ae6b66ea7a6c0c1dea0ddb
SHA256 a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9
SHA512 4757678d6b20c1f47c2c91116da38b2e74931a1a005a43f0624b3e7bb7ff5f05ca1875f2d9c1d1391e7553132753bcc4b7f3d7c45c75e7f4f540cc8db593d5fb

memory/4668-125-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4972-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9650cec11568aedf90b07ec67f577210
SHA1 2433d4d14d20df11daac6d405f618a17197ea0af
SHA256 3b0e99117abb5739bb847653a91a4972c6e022dc1b6e05815e7c58a47be9338f
SHA512 5ddccb64fcba289b1e2ac88055d3909c5a2bf27824c57114451e76a0ddd93dc608120215b1e12c3461ef028f12e4b50b99f4c87d3eb18bcae7b4f50ab7a6e377

memory/4636-138-0x00000000702D0000-0x000000007031C000-memory.dmp

memory/4636-139-0x0000000070520000-0x0000000070877000-memory.dmp

memory/5064-157-0x0000000005A20000-0x0000000005D77000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7cb2548685e178e03f5051ee497f3461
SHA1 63223ad8b409ff51e81be0903b3fe69e2d395385
SHA256 bb1e15085d044952a6621f381f49f6f750ceaccf863429ef145e660967896a60
SHA512 202a193000f7103308ce5b700733aea4d8ddc0dc5b70139f4f73cf07715c13755416cb1d238f693758d61fe5ed1c02a7f307b217f316c38329a448a8ae35a87f

memory/5064-159-0x00000000064F0000-0x000000000653C000-memory.dmp

memory/5064-160-0x00000000701F0000-0x000000007023C000-memory.dmp

memory/5064-161-0x0000000070370000-0x00000000706C7000-memory.dmp

memory/5064-170-0x0000000007240000-0x00000000072E4000-memory.dmp

memory/5064-171-0x0000000007570000-0x0000000007581000-memory.dmp

memory/5064-172-0x0000000005DA0000-0x0000000005DB5000-memory.dmp

memory/3720-175-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ba3ed6b84d4460e799bb93bad611aa80
SHA1 133f0f6ba5308519e68a7847666a6347083d50a0
SHA256 37ce8224f636ab1715936e77eb94dcacb7761ed0108e7cbef545d86314417de5
SHA512 5d019eb2d9b80b7d4f47aa4436d02f25e91b73b5e5d9612ee7f1f0bbdc06572b8cd60a3badf36fba257897e26a70611bd2bde5090285a58d5b63e1287ae7a059

memory/3252-186-0x00000000701F0000-0x000000007023C000-memory.dmp

memory/3252-187-0x0000000070370000-0x00000000706C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4648-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3720-207-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1864-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4648-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3720-215-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1864-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3720-219-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3720-223-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1864-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3720-227-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3720-231-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3720-235-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3720-239-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3720-243-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3720-247-0x0000000000400000-0x0000000002ED6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 16:46

Reported

2024-05-09 16:49

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4868 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2336 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2336 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2336 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2336 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\system32\cmd.exe
PID 2336 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\system32\cmd.exe
PID 4520 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4520 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2336 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2336 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2336 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2336 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2336 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2336 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2336 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\rss\csrss.exe
PID 2336 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\rss\csrss.exe
PID 2336 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe C:\Windows\rss\csrss.exe
PID 3104 wrote to memory of 4808 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 4808 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 4808 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 1988 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 1988 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 1988 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 5056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 5056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 5056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 3656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3104 wrote to memory of 3656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3736 wrote to memory of 4444 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 4444 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 4444 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4444 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4444 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe

"C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe

"C:\Users\Admin\AppData\Local\Temp\a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 2b18b2f0-3645-4ce7-aa6f-52aa5097aae7.uuid.statscreate.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server6.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.96:443 server6.statscreate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
BG 185.82.216.96:443 server6.statscreate.org tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
BG 185.82.216.96:443 server6.statscreate.org tcp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/4868-1-0x0000000003340000-0x000000000373B000-memory.dmp

memory/4868-2-0x0000000004FE0000-0x00000000058CB000-memory.dmp

memory/4868-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1800-4-0x000000007458E000-0x000000007458F000-memory.dmp

memory/1800-5-0x0000000002AF0000-0x0000000002B26000-memory.dmp

memory/1800-6-0x0000000005320000-0x0000000005948000-memory.dmp

memory/1800-7-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/1800-8-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/1800-9-0x0000000005110000-0x0000000005132000-memory.dmp

memory/1800-11-0x0000000005AC0000-0x0000000005B26000-memory.dmp

memory/1800-10-0x0000000005230000-0x0000000005296000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j2nim213.cii.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1800-21-0x0000000005B30000-0x0000000005E84000-memory.dmp

memory/1800-22-0x00000000060E0000-0x00000000060FE000-memory.dmp

memory/1800-23-0x0000000006100000-0x000000000614C000-memory.dmp

memory/1800-24-0x0000000006680000-0x00000000066C4000-memory.dmp

memory/1800-25-0x0000000007420000-0x0000000007496000-memory.dmp

memory/1800-26-0x0000000007B20000-0x000000000819A000-memory.dmp

memory/1800-27-0x00000000074A0000-0x00000000074BA000-memory.dmp

memory/4868-28-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1800-29-0x0000000007660000-0x0000000007692000-memory.dmp

memory/1800-32-0x00000000705D0000-0x0000000070924000-memory.dmp

memory/1800-42-0x00000000076A0000-0x00000000076BE000-memory.dmp

memory/1800-43-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/1800-44-0x00000000076C0000-0x0000000007763000-memory.dmp

memory/1800-31-0x0000000070420000-0x000000007046C000-memory.dmp

memory/1800-45-0x00000000077B0000-0x00000000077BA000-memory.dmp

memory/1800-30-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/1800-46-0x0000000007870000-0x0000000007906000-memory.dmp

memory/1800-47-0x00000000077D0000-0x00000000077E1000-memory.dmp

memory/1800-48-0x0000000007830000-0x000000000783E000-memory.dmp

memory/1800-49-0x0000000007840000-0x0000000007854000-memory.dmp

memory/1800-50-0x0000000007930000-0x000000000794A000-memory.dmp

memory/1800-51-0x0000000007910000-0x0000000007918000-memory.dmp

memory/1800-54-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4868-56-0x0000000003340000-0x000000000373B000-memory.dmp

memory/4868-58-0x0000000004FE0000-0x00000000058CB000-memory.dmp

memory/4868-57-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4868-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/452-69-0x0000000005FA0000-0x00000000062F4000-memory.dmp

memory/452-70-0x0000000070420000-0x000000007046C000-memory.dmp

memory/452-71-0x00000000705A0000-0x00000000708F4000-memory.dmp

memory/452-81-0x0000000007620000-0x00000000076C3000-memory.dmp

memory/452-83-0x0000000007930000-0x0000000007941000-memory.dmp

memory/2336-82-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/452-84-0x0000000007980000-0x0000000007994000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/5052-94-0x0000000005BC0000-0x0000000005F14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d864e328c43eda729a1d806d15b88b2a
SHA1 0edcb6f46e616f4d3558a76ce9d30e7aa8edce6e
SHA256 4c72ca5de2064185da58dcf1998ab6220ff842100baad759d9cca1aed2802650
SHA512 80f0bfd3ec463e9f1b645702e3890e349732b9a06257a636645ffd229ed4c2a5ebb17eba21bfd8e59d06c9c705284c89b1362fd432c7c2dad7389e01583e49d4

memory/5052-100-0x0000000070420000-0x000000007046C000-memory.dmp

memory/5052-101-0x0000000070BA0000-0x0000000070EF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c5b95ecc62ea61d7211ec170e4bf5b09
SHA1 64dfa659b684dc56dc61fe693bcfc819544bfe2c
SHA256 c3912c443182da0008ae3bfe78457f7dfbf4491e06bc092aea62fa7c8a2894e6
SHA512 3b6b6cc937909b8a985a3e3ff3c9882dd94e1ec1c6b499610bb3020fdacac84d73ea78028c0be09ca14f1ad61c6325eaf42723cbf1f5e6d1a2c3faa74a1c6cb7

memory/2144-122-0x0000000070420000-0x000000007046C000-memory.dmp

memory/2144-123-0x00000000705A0000-0x00000000708F4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 4150846e48cb332ce565384851fc6e26
SHA1 e0fc677654f4dcfad0ae6b66ea7a6c0c1dea0ddb
SHA256 a4fea52cf3eed9b4d571d8f96181fc7c9589fffc83c570a0484204213479a1f9
SHA512 4757678d6b20c1f47c2c91116da38b2e74931a1a005a43f0624b3e7bb7ff5f05ca1875f2d9c1d1391e7553132753bcc4b7f3d7c45c75e7f4f540cc8db593d5fb

memory/2336-137-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 69c15b7464abf249b6244775b0a5a8dc
SHA1 9299edad0d294f1a6aff243a84d920b79d1b5baf
SHA256 58060e678ac876d8280480c954422dbe024f874329bb283e732a96520b6e5fd0
SHA512 e146fef5ca62a4dcccb581f44ab73e908b9fa50edb36438201b4f66452a688eb123a369737f79b2789ab6efa189b827e1f8c63e75b9248576b58da37a132eda7

memory/4808-151-0x0000000070420000-0x000000007046C000-memory.dmp

memory/4808-152-0x0000000070BA0000-0x0000000070EF4000-memory.dmp

memory/1988-172-0x00000000059D0000-0x0000000005D24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e0f5039a4ea12505d18aec9b422108ce
SHA1 0f5dfeac3508f79a6d32a4a14f870653a1406bc8
SHA256 cf57ca0f18799391217a01555adc4f94e494bd205c99bb0043c324af4e89b023
SHA512 0e806114893892a273ca1d7aae34c7f3c6bad55fd85f2488bdfe91548cc4ddedffb2f35bfb5273c6dd616e4421f805cb28df6c3a47193275ff0ef6256f46c3fd

memory/1988-174-0x00000000063D0000-0x000000000641C000-memory.dmp

memory/1988-175-0x0000000070340000-0x000000007038C000-memory.dmp

memory/1988-176-0x00000000704C0000-0x0000000070814000-memory.dmp

memory/1988-186-0x0000000007100000-0x00000000071A3000-memory.dmp

memory/1988-187-0x0000000007460000-0x0000000007471000-memory.dmp

memory/1988-188-0x0000000005920000-0x0000000005934000-memory.dmp

memory/5056-200-0x0000000005840000-0x0000000005B94000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5ef4e7bd4a486bd148149dcf76647782
SHA1 21c5591a3df0122c414b7ec9923354a360e742e0
SHA256 5612fd5e80161cfa370bbb992ee7985f51a3b560801624ee56611f98987ad2e2
SHA512 ce51b0eb73817c5ef5e6a7c5a43da35f63d0a85495eb3f2a57cab7b43d931874f189fd31950492e731918443a508012b3686e393c83f2a9e9522240b9309a946

memory/5056-202-0x0000000070340000-0x000000007038C000-memory.dmp

memory/5056-203-0x0000000070AD0000-0x0000000070E24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3104-219-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3736-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4948-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3736-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3104-230-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4948-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3104-232-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3104-236-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4948-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3104-239-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3104-242-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3104-245-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3104-248-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3104-251-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3104-254-0x0000000000400000-0x0000000002ED6000-memory.dmp