Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-x1bbladf65
Target 7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351
SHA256 7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351

Threat Level: Known bad

The file 7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:18

Reported

2024-05-09 19:21

Platform

win10v2004-20240426-en

Max time kernel

131s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2260 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2260 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 100 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 100 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 100 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 100 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\system32\cmd.exe
PID 100 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\system32\cmd.exe
PID 1564 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1564 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 100 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 100 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 100 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 100 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 100 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 100 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 100 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\rss\csrss.exe
PID 100 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\rss\csrss.exe
PID 100 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\rss\csrss.exe
PID 896 wrote to memory of 1860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 896 wrote to memory of 1860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 896 wrote to memory of 1860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 896 wrote to memory of 4912 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 896 wrote to memory of 4912 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 896 wrote to memory of 4912 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 896 wrote to memory of 1428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 896 wrote to memory of 1428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 896 wrote to memory of 1428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 896 wrote to memory of 4584 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 896 wrote to memory of 4584 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 884 wrote to memory of 1188 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 1188 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 1188 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1188 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1188 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe

"C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe

"C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 fa95246a-8bdf-424e-8127-7d23552a0193.uuid.realupdate.ru udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server7.realupdate.ru udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server7.realupdate.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server7.realupdate.ru tcp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 stun2.l.google.com udp
US 74.125.250.129:19302 stun2.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BG 185.82.216.96:443 server7.realupdate.ru tcp

Files

memory/2260-1-0x00000000031A0000-0x000000000359D000-memory.dmp

memory/2260-2-0x0000000004F40000-0x000000000582B000-memory.dmp

memory/2260-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3540-4-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

memory/3540-5-0x0000000002E30000-0x0000000002E66000-memory.dmp

memory/3540-6-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3540-7-0x00000000054F0000-0x0000000005B18000-memory.dmp

memory/3540-8-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3540-9-0x0000000005BD0000-0x0000000005BF2000-memory.dmp

memory/3540-10-0x0000000005D70000-0x0000000005DD6000-memory.dmp

memory/3540-11-0x0000000005DE0000-0x0000000005E46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zhhl5wjn.1oj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3540-21-0x0000000005E50000-0x00000000061A4000-memory.dmp

memory/3540-22-0x0000000006420000-0x000000000643E000-memory.dmp

memory/3540-23-0x0000000006460000-0x00000000064AC000-memory.dmp

memory/3540-24-0x0000000006940000-0x0000000006984000-memory.dmp

memory/3540-25-0x0000000007730000-0x00000000077A6000-memory.dmp

memory/3540-27-0x00000000077E0000-0x00000000077FA000-memory.dmp

memory/3540-26-0x0000000007E30000-0x00000000084AA000-memory.dmp

memory/2260-28-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3540-30-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/3540-32-0x0000000071150000-0x00000000714A4000-memory.dmp

memory/3540-31-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3540-29-0x00000000079A0000-0x00000000079D2000-memory.dmp

memory/3540-42-0x00000000079E0000-0x00000000079FE000-memory.dmp

memory/3540-43-0x0000000007A00000-0x0000000007AA3000-memory.dmp

memory/3540-44-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3540-45-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

memory/3540-46-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3540-47-0x0000000007BB0000-0x0000000007C46000-memory.dmp

memory/3540-48-0x0000000007B10000-0x0000000007B21000-memory.dmp

memory/3540-49-0x0000000007B50000-0x0000000007B5E000-memory.dmp

memory/3540-50-0x0000000007B60000-0x0000000007B74000-memory.dmp

memory/3540-51-0x0000000007C50000-0x0000000007C6A000-memory.dmp

memory/3540-52-0x0000000007BA0000-0x0000000007BA8000-memory.dmp

memory/3540-55-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/2260-57-0x00000000031A0000-0x000000000359D000-memory.dmp

memory/2260-58-0x0000000004F40000-0x000000000582B000-memory.dmp

memory/2260-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4436-60-0x0000000006050000-0x00000000063A4000-memory.dmp

memory/4436-70-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/4436-71-0x00000000711D0000-0x0000000071524000-memory.dmp

memory/4436-81-0x00000000078A0000-0x0000000007943000-memory.dmp

memory/4436-82-0x0000000007BD0000-0x0000000007BE1000-memory.dmp

memory/2260-83-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4436-84-0x0000000007C20000-0x0000000007C34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2140-88-0x00000000054A0000-0x00000000057F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 044378779055060e2015006039084ff6
SHA1 c5a0a4c7f9aa80c3b7f98e6dc9e96ed5b0cfff57
SHA256 3fdfcf3f4057ac6917f14085a2400b6241c0b523a6304d45a9b84659a5b94cb4
SHA512 0bf06f2050602b32ce18c2d311ff11cf2f517f9529d249398ae82b3c4ad12a96ae3d847af7d317933f3648d2d6d7121d61be9338bd6b3944c6ecdbc704239946

memory/2140-99-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/2140-100-0x00000000711F0000-0x0000000071544000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e5f10cecdcb72ef6c31d60f95aaa3780
SHA1 afb06a3d1391d729c996543ccf063f9f532e6fdb
SHA256 24328e2d3e8fd38cc307d1a2c96c8087999b6d39b23c4d5252fd35c7927d9458
SHA512 591cdb742eda7ae9761f4a6dfad32eed5a184d50e58233f613abd054fdcc1bee01a93820bc88a9ae09eee843527748cf98dc55a529e384f4d2814200fd539d0f

memory/100-121-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1744-123-0x00000000711F0000-0x0000000071544000-memory.dmp

memory/1744-122-0x0000000070A50000-0x0000000070A9C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 cb190097f65f744e90b26d1ebaafb5ad
SHA1 a80304e9a6123aca0b5e4d4ef431850936b96d61
SHA256 7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351
SHA512 0f79b3468618b1b6b31e3d655328fda18ac7b75aab67e6fba155a7cc34e6963c357ad801a5631368c544bf380d8c5e261e7119ec4c26700ca279efcadc9d6178

memory/100-140-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1860-150-0x0000000005A40000-0x0000000005D94000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f66e70a8ac63f214ba19f6496ecddf89
SHA1 31927fb98d5689ba4ea3a428420a80f9567f0290
SHA256 f47f656afbce35f5602b73ab44259109986dfe0ba869df14c3627d96d9689e3d
SHA512 099c9d9bbdf89ab98138911d115b9cc0ed1d9c6d06eaf8d68021d41da175f082ebe3aa819615921ea96ee8dc885961c1e1b9af3a0f648e6368b9787e733b52ab

memory/1860-153-0x0000000070BF0000-0x0000000070F44000-memory.dmp

memory/1860-152-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/896-164-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4912-174-0x0000000005FC0000-0x0000000006314000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 be24c304412529c3e96ce1d961d85749
SHA1 749d4091fb49c099acea1635131d28f6d6a13715
SHA256 8b772b617b49fefb2d2063b980adc8ffd6b1840c43c4ab780fa380957faaafca
SHA512 f14509b84e9f235edebe0ca4d3af7a839a12c6a8f3ccc9f3eb6598804d4289817ac71c2000a18bc1a6ebf1b5b574bb2f09d0c4ca7bd5ba1893d68ab16829ef5b

memory/4912-176-0x0000000006480000-0x00000000064CC000-memory.dmp

memory/4912-188-0x0000000007640000-0x00000000076E3000-memory.dmp

memory/4912-178-0x0000000070AF0000-0x0000000070E44000-memory.dmp

memory/4912-177-0x0000000070970000-0x00000000709BC000-memory.dmp

memory/4912-189-0x0000000007970000-0x0000000007981000-memory.dmp

memory/4912-190-0x0000000005E10000-0x0000000005E24000-memory.dmp

memory/1428-201-0x0000000005FE0000-0x0000000006334000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4d84be37346e61a2affa735d37aa95ff
SHA1 f8956ce532bfb6da9688399230115fc8612c8f00
SHA256 37b9c39ed240576821b34d50c6d6acd122f3e86a665a2e2ce6f53b181f6a4347
SHA512 674faf1c353a0f46118c09e2d64d507e0437c291cafac5ab90f22e53e107ef68db69d70aa09d4acec23f92e10954c009f4963ce945f11eb5a729100e6bb75df1

memory/1428-203-0x0000000070970000-0x00000000709BC000-memory.dmp

memory/1428-204-0x0000000070B00000-0x0000000070E54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/896-222-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/884-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/884-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/896-232-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3320-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/896-236-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/896-240-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3320-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/896-244-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/896-248-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/896-252-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3320-254-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/896-256-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/896-260-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/896-264-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/896-268-0x0000000000400000-0x0000000002EDD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:18

Reported

2024-05-09 19:21

Platform

win11-20240426-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\system32\cmd.exe
PID 2436 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\system32\cmd.exe
PID 1544 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1544 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2436 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\rss\csrss.exe
PID 2436 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\rss\csrss.exe
PID 2436 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe C:\Windows\rss\csrss.exe
PID 3856 wrote to memory of 1636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 1636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 1636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 2232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 2232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 2232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 5000 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 5000 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 5000 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 2220 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3856 wrote to memory of 2220 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4452 wrote to memory of 728 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 728 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 728 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 728 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 728 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 728 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe

"C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe

"C:\Users\Admin\AppData\Local\Temp\7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 f27c6a5e-6051-413c-8f11-f986cd78dd5f.uuid.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server16.realupdate.ru udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server16.realupdate.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.96:443 server16.realupdate.ru tcp
US 74.125.250.129:19302 stun2.l.google.com udp
US 52.111.229.48:443 tcp
BG 185.82.216.96:443 server16.realupdate.ru tcp
N/A 127.0.0.1:3478 udp
BG 185.82.216.96:443 server16.realupdate.ru tcp

Files

memory/2272-1-0x00000000033D0000-0x00000000037D6000-memory.dmp

memory/2272-2-0x0000000005080000-0x000000000596B000-memory.dmp

memory/2272-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3800-4-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

memory/3800-5-0x0000000002A40000-0x0000000002A76000-memory.dmp

memory/3800-6-0x0000000005290000-0x00000000058BA000-memory.dmp

memory/3800-7-0x0000000073F10000-0x00000000746C1000-memory.dmp

memory/3800-8-0x0000000073F10000-0x00000000746C1000-memory.dmp

memory/3800-9-0x0000000004F60000-0x0000000004F82000-memory.dmp

memory/3800-10-0x0000000005100000-0x0000000005166000-memory.dmp

memory/3800-11-0x0000000005930000-0x0000000005996000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bm4zhmoh.hjt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3800-20-0x0000000005AC0000-0x0000000005E17000-memory.dmp

memory/3800-22-0x0000000005F60000-0x0000000005FAC000-memory.dmp

memory/3800-21-0x0000000005F40000-0x0000000005F5E000-memory.dmp

memory/3800-23-0x0000000006F00000-0x0000000006F46000-memory.dmp

memory/3800-25-0x0000000070180000-0x00000000701CC000-memory.dmp

memory/3800-36-0x00000000073B0000-0x0000000007454000-memory.dmp

memory/3800-35-0x0000000007390000-0x00000000073AE000-memory.dmp

memory/3800-26-0x0000000070300000-0x0000000070657000-memory.dmp

memory/3800-24-0x0000000007350000-0x0000000007384000-memory.dmp

memory/3800-38-0x00000000074E0000-0x00000000074FA000-memory.dmp

memory/3800-37-0x0000000007B20000-0x000000000819A000-memory.dmp

memory/3800-39-0x0000000007520000-0x000000000752A000-memory.dmp

memory/3800-40-0x0000000007630000-0x00000000076C6000-memory.dmp

memory/3800-41-0x0000000007540000-0x0000000007551000-memory.dmp

memory/3800-42-0x0000000007590000-0x000000000759E000-memory.dmp

memory/3800-43-0x00000000075A0000-0x00000000075B5000-memory.dmp

memory/3800-44-0x00000000075F0000-0x000000000760A000-memory.dmp

memory/3800-45-0x0000000007610000-0x0000000007618000-memory.dmp

memory/3800-48-0x0000000073F10000-0x00000000746C1000-memory.dmp

memory/2272-50-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3896-59-0x0000000005520000-0x0000000005877000-memory.dmp

memory/3896-60-0x0000000070180000-0x00000000701CC000-memory.dmp

memory/3896-70-0x0000000006C50000-0x0000000006CF4000-memory.dmp

memory/3896-61-0x0000000070310000-0x0000000070667000-memory.dmp

memory/3896-71-0x0000000006F80000-0x0000000006F91000-memory.dmp

memory/3896-72-0x0000000006FD0000-0x0000000006FE5000-memory.dmp

memory/2272-73-0x00000000033D0000-0x00000000037D6000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4608-77-0x0000000006070000-0x00000000063C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 70fc420e54d71b7e8282a13772bb1e1e
SHA1 04e7bf9981119a5b915dbe2ec1b875db42a785c7
SHA256 58247ea5e3cc9bbb024b7d062a9325286b78006a3ee781101418d773eda3d25c
SHA512 5935def0a1aa16c3566e3dcafdcf2944f7aad91fc10efb8bad5063a8c0f97e3bd0b12675ffadb89ecc225555b1e5d6be12a42742f535c7536555d2c37fce8fad

memory/4608-88-0x00000000703D0000-0x0000000070727000-memory.dmp

memory/4608-87-0x0000000070180000-0x00000000701CC000-memory.dmp

memory/856-106-0x0000000005A90000-0x0000000005DE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 130771de1dc4428cc5fed14ee74d0a3c
SHA1 c0c18dd7772e7b2d8f59697ec8a8455bc361e6e8
SHA256 ae2fb68aea11f267b88a62148f38433658e1524e432b4509fed6d0f505f92876
SHA512 06316d7fffdd59c0140ec6ec9d2efc6885e4366838003c12c2869b7e713da1e1fc042a086cccb07a8eb4a780dde807feaa8135ab13dd4c2e5756b5f15ec3b399

memory/856-109-0x0000000070320000-0x0000000070677000-memory.dmp

memory/856-108-0x0000000070180000-0x00000000701CC000-memory.dmp

memory/2272-118-0x0000000005080000-0x000000000596B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 cb190097f65f744e90b26d1ebaafb5ad
SHA1 a80304e9a6123aca0b5e4d4ef431850936b96d61
SHA256 7938a4cdc2d96fbf519f39e0eab76655909742158c057116f18537a0c0a84351
SHA512 0f79b3468618b1b6b31e3d655328fda18ac7b75aab67e6fba155a7cc34e6963c357ad801a5631368c544bf380d8c5e261e7119ec4c26700ca279efcadc9d6178

memory/2436-126-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2272-127-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9d4934ab130ce86dab1a1684715b3dd1
SHA1 f4779e408269189ecd60e5bf340e2b0da0a24e82
SHA256 f24e9d7e451786b7dc1e2c9f6583aeb9629e69b5bc3aa3dd9404bfefff11aa82
SHA512 5c1d9f5652d9644b85f3ea69496c9c8665232ee831b23f7a9ce89c4dd59a5790ebabeb7dbdb631bc398e66decf14f097a547021f184f1e15e66ff29c2138aca2

memory/1636-137-0x0000000070180000-0x00000000701CC000-memory.dmp

memory/1636-138-0x00000000703D0000-0x0000000070727000-memory.dmp

memory/2232-156-0x0000000006320000-0x0000000006677000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f2cb368ba2645c7104de6ece0400650a
SHA1 2cfb7b9e02218f8b5735b23e04e25622b2908fbe
SHA256 4ad4960ba9a263d484cf6a46a97ee194895900013fc4b1058a66f801520d7a46
SHA512 dd20f780ac181316f7c7e2a8fba6edcef36b81b3d57fea023acc80c0d5ebb3dc52af8183b9889445e0c5ae2510f8b6dc6130702b5e52c7b0f46ee3e8471b7910

memory/2232-158-0x00000000068D0000-0x000000000691C000-memory.dmp

memory/2232-160-0x0000000070220000-0x0000000070577000-memory.dmp

memory/2232-159-0x00000000700A0000-0x00000000700EC000-memory.dmp

memory/2232-169-0x00000000079D0000-0x0000000007A74000-memory.dmp

memory/2232-170-0x0000000007D00000-0x0000000007D11000-memory.dmp

memory/2232-171-0x0000000006160000-0x0000000006175000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 72ff00f13bbfe07f22c493e9c372cf58
SHA1 2e4c0be708433e7dbf035957d05bfa302f68ff36
SHA256 374ec828aafd369fcfc7c1bacb34551d18605465a6cfab033dbf2411a2feefe1
SHA512 5518b7b1a5f2e374fdd0a3253eb312f6faf2b67a3115765c165d03f6602d82d647d574c28abe83fe06eccc0f89b82e94cb5567579546afd8be6155bced0a439c

memory/5000-183-0x0000000070320000-0x0000000070677000-memory.dmp

memory/5000-182-0x00000000700A0000-0x00000000700EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3856-200-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4452-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2912-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3856-206-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4452-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2912-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3856-214-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3856-218-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2912-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3856-222-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3856-225-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3856-229-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3856-233-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2912-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3856-238-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3856-242-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3856-246-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3856-249-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3856-253-0x0000000000400000-0x0000000002EDD000-memory.dmp