Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-x1p5radf84
Target 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd
SHA256 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd

Threat Level: Known bad

The file 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:19

Reported

2024-05-09 19:22

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3592 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3592 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3592 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\system32\cmd.exe
PID 1668 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\system32\cmd.exe
PID 4644 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4644 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1668 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\rss\csrss.exe
PID 1668 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\rss\csrss.exe
PID 1668 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\rss\csrss.exe
PID 2760 wrote to memory of 2028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 3604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 3604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 3604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 1848 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 1848 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 1848 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 632 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2760 wrote to memory of 632 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3244 wrote to memory of 3280 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 3280 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 3280 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3280 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3280 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe

"C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe

"C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
BE 2.17.196.115:443 www.bing.com tcp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
BE 2.17.196.115:443 www.bing.com tcp
US 8.8.8.8:53 115.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 7bf754cf-0a47-446e-90e2-cc8459fe0457.uuid.allstatsin.ru udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server6.allstatsin.ru udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.104:443 server6.allstatsin.ru tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.104:443 server6.allstatsin.ru tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
BG 185.82.216.104:443 server6.allstatsin.ru tcp

Files

memory/3592-1-0x00000000032B0000-0x00000000036AA000-memory.dmp

memory/3592-2-0x0000000004F50000-0x000000000583B000-memory.dmp

memory/3592-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3136-4-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

memory/3136-5-0x0000000002E10000-0x0000000002E46000-memory.dmp

memory/3136-7-0x00000000054F0000-0x0000000005B18000-memory.dmp

memory/3136-6-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/3136-8-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/3592-9-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3136-10-0x0000000005C60000-0x0000000005C82000-memory.dmp

memory/3136-11-0x0000000005D00000-0x0000000005D66000-memory.dmp

memory/3136-17-0x0000000005DE0000-0x0000000005E46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f2fsi2ju.zdj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3136-22-0x0000000005F50000-0x00000000062A4000-memory.dmp

memory/3136-23-0x0000000005140000-0x000000000515E000-memory.dmp

memory/3136-24-0x0000000006440000-0x000000000648C000-memory.dmp

memory/3136-25-0x0000000006800000-0x0000000006844000-memory.dmp

memory/3136-26-0x0000000007740000-0x00000000077B6000-memory.dmp

memory/3136-27-0x0000000007E40000-0x00000000084BA000-memory.dmp

memory/3136-28-0x00000000077C0000-0x00000000077DA000-memory.dmp

memory/3136-31-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/3136-30-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/3136-29-0x0000000007980000-0x00000000079B2000-memory.dmp

memory/3136-32-0x0000000070E00000-0x0000000071154000-memory.dmp

memory/3136-42-0x00000000079C0000-0x00000000079DE000-memory.dmp

memory/3136-44-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/3136-43-0x00000000079E0000-0x0000000007A83000-memory.dmp

memory/3136-45-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

memory/3592-46-0x00000000032B0000-0x00000000036AA000-memory.dmp

memory/3136-48-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/3136-47-0x0000000007BE0000-0x0000000007C76000-memory.dmp

memory/3136-49-0x0000000007AE0000-0x0000000007AF1000-memory.dmp

memory/3136-50-0x0000000007B20000-0x0000000007B2E000-memory.dmp

memory/3136-51-0x0000000007B40000-0x0000000007B54000-memory.dmp

memory/3136-52-0x0000000007B90000-0x0000000007BAA000-memory.dmp

memory/3136-53-0x0000000007B80000-0x0000000007B88000-memory.dmp

memory/3136-56-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/3592-58-0x0000000004F50000-0x000000000583B000-memory.dmp

memory/3592-60-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3592-59-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2704-70-0x0000000005C50000-0x0000000005FA4000-memory.dmp

memory/2704-71-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/2704-72-0x0000000070E20000-0x0000000071174000-memory.dmp

memory/2704-82-0x0000000007390000-0x0000000007433000-memory.dmp

memory/2704-83-0x00000000076A0000-0x00000000076B1000-memory.dmp

memory/1668-84-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2704-85-0x0000000007710000-0x0000000007724000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4664-89-0x0000000006270000-0x00000000065C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c7f201b4bdf240b17f8fcaa8c917a003
SHA1 a9dd09bacbb17443628c84b8df7c6e9ad7b3d70b
SHA256 862f2c3773328bd791c1cb769b50ad5b70b7b31c9d908928f604dc919017a38e
SHA512 89f129e3703fa2961518f9094aae17181af0d757f7e9d2ea7519c5f1200c13bffdb1a32cfe5b8bcce8dff69ffc23e49e0b29b94e236963f9b8efc1607e1bc661

memory/4664-100-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/4664-101-0x0000000071400000-0x0000000071754000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 767223bf100608b0b8ded436f17178f1
SHA1 a5c56fb7f5a1b6b4b1d4a2f1cd1786fe83a92b58
SHA256 33989b148155dacea6f5f0af89abf484783154cffff203cf844e75eb61473813
SHA512 51975869ca1f310fc2c118432f6b07739f19f609889572f9e1aaf4501bd41cfdec9fa09f4ffba8d92439aad588b9821db2796f4b7605bdb6300a559303963f4f

memory/3920-123-0x0000000070E00000-0x0000000071154000-memory.dmp

memory/3920-122-0x0000000070C80000-0x0000000070CCC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a777e580115331f281253a66b4b2693a
SHA1 ed39eb27efe889bfbb506b32efaad08c5c31aa6e
SHA256 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd
SHA512 22b0735b5f337314cd143bc03b1371bc384581069fd34829cad15ae4dfcb58ec6e0425514ed32bb73d9132e9733ba79d6f489557ffcdcd290b0d53729fa4f762

memory/1668-140-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6ad36a13955a7fa0ceef05515ab71d9a
SHA1 f58155b6925ce0a3a3fe2e7ce1afb8eb00b2b31a
SHA256 c86312ab2839942b319c49b2c9663de285a8035d953a1206410ad44525d6c95c
SHA512 2b863df0fb088ef09a3d7da3e86d57ac2a85f3224286c219de33e5b2117b40b5703bc12dbdec5af5b7d6b26b36290d91de25fb55dd066a6cfb9381442d9afef8

memory/2028-152-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/2028-153-0x0000000070E00000-0x0000000071154000-memory.dmp

memory/2760-164-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3604-174-0x0000000006300000-0x0000000006654000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a18be15ee385e267e157d47abbdbe765
SHA1 9f77d26907d3801a86d30a1a34e58de00be58abe
SHA256 05ebb2f687f94893c42683a745752e7cd40e157f3c45b95b067076d6e343401b
SHA512 d0ca2ff16ae4ac256f7083627f5975a25bed2bd7ad4d949a32198af22cd2b0a21a33962c353f995eb34250ac5616177ec0c8c90a45dc30f160a69fce8cb890cb

memory/3604-176-0x00000000069E0000-0x0000000006A2C000-memory.dmp

memory/3604-177-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

memory/3604-178-0x0000000071330000-0x0000000071684000-memory.dmp

memory/3604-188-0x0000000007BC0000-0x0000000007C63000-memory.dmp

memory/3604-189-0x0000000006760000-0x0000000006771000-memory.dmp

memory/3604-191-0x00000000067A0000-0x00000000067B4000-memory.dmp

memory/1848-202-0x0000000005620000-0x0000000005974000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9c5bc98f9c02b154d38a2d41ed1575a6
SHA1 c0a32875ba787c85edafdc5135055e5b88483d66
SHA256 fa291c81201645ec6ea27f85d39146866e2c1f4a35577d72c8f824f98002bfb7
SHA512 8180b714ce713578253840cacb9e1cbd63fe0c16128956c65d51c4ac87fe774213f605100a315035c48e8b4d3b0feb8d0178288af5078ea8aa3eb9ce4f48cfa6

memory/1848-204-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

memory/1848-205-0x0000000070D40000-0x0000000071094000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2760-222-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3244-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3244-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2760-233-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4588-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2760-236-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2760-242-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4588-244-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2760-245-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2760-249-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2760-252-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2760-256-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2760-261-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2760-265-0x0000000000400000-0x0000000002EDD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:19

Reported

2024-05-09 19:22

Platform

win11-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\system32\cmd.exe
PID 2832 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\system32\cmd.exe
PID 1228 wrote to memory of 4056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1228 wrote to memory of 4056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2832 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\rss\csrss.exe
PID 2832 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\rss\csrss.exe
PID 2832 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe C:\Windows\rss\csrss.exe
PID 868 wrote to memory of 1056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 3068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 3068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 3068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 3412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 3412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 3412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 3936 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 868 wrote to memory of 3936 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3404 wrote to memory of 3204 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 3204 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 3204 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3204 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3204 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe

"C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe

"C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 3326c32b-1480-4667-9a84-f20732903bf7.uuid.allstatsin.ru udp
US 8.8.8.8:53 server3.allstatsin.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.104:443 server3.allstatsin.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.104:443 server3.allstatsin.ru tcp
BG 185.82.216.104:443 server3.allstatsin.ru tcp
BG 185.82.216.104:443 server3.allstatsin.ru tcp

Files

memory/2428-1-0x00000000033D0000-0x00000000037CC000-memory.dmp

memory/2428-2-0x0000000005070000-0x000000000595B000-memory.dmp

memory/2428-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4888-4-0x000000007480E000-0x000000007480F000-memory.dmp

memory/4888-5-0x0000000002AB0000-0x0000000002AE6000-memory.dmp

memory/4888-7-0x0000000074800000-0x0000000074FB1000-memory.dmp

memory/4888-6-0x00000000051F0000-0x000000000581A000-memory.dmp

memory/4888-8-0x0000000074800000-0x0000000074FB1000-memory.dmp

memory/4888-9-0x0000000005100000-0x0000000005122000-memory.dmp

memory/4888-10-0x00000000059D0000-0x0000000005A36000-memory.dmp

memory/4888-11-0x0000000005A40000-0x0000000005AA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3xwg0tcc.fdy.psm1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4888-20-0x0000000005AB0000-0x0000000005E07000-memory.dmp

memory/4888-21-0x0000000005F70000-0x0000000005F8E000-memory.dmp

memory/4888-22-0x0000000005FC0000-0x000000000600C000-memory.dmp

memory/4888-23-0x0000000007100000-0x0000000007146000-memory.dmp

memory/4888-24-0x0000000007390000-0x00000000073C4000-memory.dmp

memory/4888-25-0x0000000070A70000-0x0000000070ABC000-memory.dmp

memory/4888-26-0x0000000070BF0000-0x0000000070F47000-memory.dmp

memory/4888-35-0x00000000073F0000-0x000000000740E000-memory.dmp

memory/4888-36-0x0000000007410000-0x00000000074B4000-memory.dmp

memory/4888-37-0x0000000007B80000-0x00000000081FA000-memory.dmp

memory/4888-38-0x0000000007530000-0x000000000754A000-memory.dmp

memory/4888-40-0x0000000007570000-0x000000000757A000-memory.dmp

memory/2428-39-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4888-41-0x0000000007630000-0x00000000076C6000-memory.dmp

memory/4888-42-0x00000000075B0000-0x00000000075C1000-memory.dmp

memory/4888-43-0x00000000075E0000-0x00000000075EE000-memory.dmp

memory/4888-44-0x00000000075F0000-0x0000000007605000-memory.dmp

memory/4888-45-0x00000000076F0000-0x000000000770A000-memory.dmp

memory/4888-46-0x00000000076D0000-0x00000000076D8000-memory.dmp

memory/4888-49-0x0000000074800000-0x0000000074FB1000-memory.dmp

memory/2428-51-0x00000000033D0000-0x00000000037CC000-memory.dmp

memory/2428-53-0x0000000005070000-0x000000000595B000-memory.dmp

memory/2428-52-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2520-59-0x00000000062A0000-0x00000000065F7000-memory.dmp

memory/2520-63-0x0000000070A70000-0x0000000070ABC000-memory.dmp

memory/2520-64-0x0000000070CC0000-0x0000000071017000-memory.dmp

memory/2520-73-0x0000000007A00000-0x0000000007AA4000-memory.dmp

memory/2520-74-0x0000000007D30000-0x0000000007D41000-memory.dmp

memory/2520-75-0x0000000007D80000-0x0000000007D95000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 163728d3633f052cec72a78328a64331
SHA1 51d618655c6f480e8247efd97c573ac700b965c8
SHA256 b364c5da103cc9d4935e3f84a2ef68a9c3ad881ae544ffab4ce421c0e26b73bf
SHA512 4d834290081e8fafc1a6ba6851b01a18e8f1e10a00f6fa8b1153d393c09856c4351e6232e021fa2f640ee32bbf18fa7a3c97e632005beda25de2a6cbe5454c0d

memory/1232-88-0x0000000070A70000-0x0000000070ABC000-memory.dmp

memory/1232-89-0x0000000070BF0000-0x0000000070F47000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8ae45efa44f268c263f3c6820de2411c
SHA1 4be1550bc0049bc6d0a2d6fbdbf38024b22c77bd
SHA256 0a125ef2d104e18e24eca12927161081150c67ed1bcdc65291d272ee027fe98b
SHA512 af54fc77f39c93274f4121467eb09152c3580c06c979099f84ac20d88efe8bcc7374f7ba57da388c3930e41098c4a983e8823e82ee87097c12be6e361cb8d4ec

memory/2428-109-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2832-108-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3728-111-0x0000000070BF0000-0x0000000070F47000-memory.dmp

memory/3728-110-0x0000000070A70000-0x0000000070ABC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a777e580115331f281253a66b4b2693a
SHA1 ed39eb27efe889bfbb506b32efaad08c5c31aa6e
SHA256 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd
SHA512 22b0735b5f337314cd143bc03b1371bc384581069fd34829cad15ae4dfcb58ec6e0425514ed32bb73d9132e9733ba79d6f489557ffcdcd290b0d53729fa4f762

memory/2832-127-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7029a15d633a0b1145a28f829791f7d7
SHA1 cc3d6d400b02e71a10de1941fe0ec5cdafd200ea
SHA256 ff3d45867705e5fe4e3b8914ef25d64cac93f5c5876f22d431b72e53040807c3
SHA512 3cdfb57ec18c8e57c317a9ce55e058905e35ca2d6d75d2bd4695a8d32aaff5c4339559cf8c1ade24f3c8a84bca7131f2d1383d94b35bf1f546380116a25e033e

memory/1056-139-0x0000000070CC0000-0x0000000071017000-memory.dmp

memory/1056-138-0x0000000070A70000-0x0000000070ABC000-memory.dmp

memory/3068-149-0x0000000005970000-0x0000000005CC7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 09c76a436bb58d302ed787c9aeacfdb7
SHA1 31ab91b34599b95aa125a5870134134e2a741512
SHA256 ec3a7d95a4f3b4d2846bf654e9970027595b77f9dd9e009338ada40590750709
SHA512 31d64b142113a7766012b8ca5056db7a18805965832d7a176694511dd776fa69ce27ed372a70c578070a1af6aebb9e544ed21e30a5cd5cde8000c361d2be0c74

memory/3068-159-0x0000000006510000-0x000000000655C000-memory.dmp

memory/3068-161-0x0000000070990000-0x00000000709DC000-memory.dmp

memory/3068-162-0x0000000070BE0000-0x0000000070F37000-memory.dmp

memory/3068-171-0x00000000071C0000-0x0000000007264000-memory.dmp

memory/3068-172-0x0000000007510000-0x0000000007521000-memory.dmp

memory/3068-173-0x0000000005D30000-0x0000000005D45000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 07b76b1f8c829823ea68998a9c516ce3
SHA1 d8f773541aaabf2d1ed729cbce1fb1054a01b776
SHA256 f6b21587cf55c65660eaae0b56cccd3b8bc4447e3fdf7f8c89e02ca39b2819aa
SHA512 baa6ec1b41b6dccd2a0a7882f8f6c7d4b2b8b0e7a965cd7622ccebf1aa311b5f89f35564c7b25535689236d06f1da7f6b974a861f9ef7d8e2dd8112dce629137

memory/3412-184-0x0000000070990000-0x00000000709DC000-memory.dmp

memory/3412-185-0x0000000070BE0000-0x0000000070F37000-memory.dmp

memory/868-194-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3404-206-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1748-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3404-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/868-209-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1748-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/868-216-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/868-220-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1748-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/868-224-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/868-227-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/868-231-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/868-236-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/868-240-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/868-243-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/868-247-0x0000000000400000-0x0000000002EDD000-memory.dmp