Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-x926nseb25
Target 691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99
SHA256 691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99

Threat Level: Known bad

The file 691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:34

Reported

2024-05-09 19:36

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4344 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\system32\cmd.exe
PID 4456 wrote to memory of 3772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4456 wrote to memory of 3772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1720 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\rss\csrss.exe
PID 1720 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\rss\csrss.exe
PID 1720 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\rss\csrss.exe
PID 2664 wrote to memory of 4088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 4088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 4088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 5096 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 5096 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 5096 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 2140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 2140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 2140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 816 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2664 wrote to memory of 816 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2116 wrote to memory of 2228 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2228 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2228 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2228 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2228 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe

"C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe

"C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 1561bb94-4a16-4374-a629-2abdf79d802b.uuid.filesdumpplace.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server9.filesdumpplace.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.96:443 server9.filesdumpplace.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server9.filesdumpplace.org tcp
BG 185.82.216.96:443 server9.filesdumpplace.org tcp
BG 185.82.216.96:443 server9.filesdumpplace.org tcp

Files

memory/4344-1-0x00000000032A0000-0x00000000036A1000-memory.dmp

memory/4344-2-0x0000000005050000-0x000000000593B000-memory.dmp

memory/4344-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2912-4-0x00000000740AE000-0x00000000740AF000-memory.dmp

memory/2912-5-0x0000000004980000-0x00000000049B6000-memory.dmp

memory/2912-7-0x0000000004FF0000-0x0000000005618000-memory.dmp

memory/2912-8-0x00000000740A0000-0x0000000074850000-memory.dmp

memory/2912-6-0x00000000740A0000-0x0000000074850000-memory.dmp

memory/2912-9-0x0000000004F90000-0x0000000004FB2000-memory.dmp

memory/2912-10-0x0000000005890000-0x00000000058F6000-memory.dmp

memory/2912-11-0x0000000005900000-0x0000000005966000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0vbhihs.wj2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2912-21-0x0000000005A70000-0x0000000005DC4000-memory.dmp

memory/2912-22-0x0000000005F10000-0x0000000005F2E000-memory.dmp

memory/2912-23-0x0000000005FD0000-0x000000000601C000-memory.dmp

memory/2912-24-0x00000000070D0000-0x0000000007114000-memory.dmp

memory/2912-25-0x0000000007260000-0x00000000072D6000-memory.dmp

memory/2912-26-0x0000000007960000-0x0000000007FDA000-memory.dmp

memory/2912-27-0x0000000007300000-0x000000000731A000-memory.dmp

memory/4344-28-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2912-30-0x000000006FF40000-0x000000006FF8C000-memory.dmp

memory/2912-29-0x00000000074C0000-0x00000000074F2000-memory.dmp

memory/2912-42-0x0000000007500000-0x000000000751E000-memory.dmp

memory/2912-43-0x00000000740A0000-0x0000000074850000-memory.dmp

memory/2912-32-0x00000000700C0000-0x0000000070414000-memory.dmp

memory/2912-44-0x0000000007520000-0x00000000075C3000-memory.dmp

memory/2912-31-0x00000000740A0000-0x0000000074850000-memory.dmp

memory/2912-45-0x0000000007610000-0x000000000761A000-memory.dmp

memory/2912-46-0x00000000076D0000-0x0000000007766000-memory.dmp

memory/2912-47-0x0000000007630000-0x0000000007641000-memory.dmp

memory/2912-48-0x0000000007670000-0x000000000767E000-memory.dmp

memory/2912-49-0x0000000007680000-0x0000000007694000-memory.dmp

memory/2912-50-0x0000000007770000-0x000000000778A000-memory.dmp

memory/2912-51-0x00000000076C0000-0x00000000076C8000-memory.dmp

memory/2912-54-0x00000000740A0000-0x0000000074850000-memory.dmp

memory/4344-56-0x00000000032A0000-0x00000000036A1000-memory.dmp

memory/4344-57-0x0000000005050000-0x000000000593B000-memory.dmp

memory/4344-58-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4344-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1320-69-0x000000006FF40000-0x000000006FF8C000-memory.dmp

memory/1320-70-0x00000000700C0000-0x0000000070414000-memory.dmp

memory/1320-80-0x0000000007560000-0x0000000007603000-memory.dmp

memory/1320-81-0x0000000007880000-0x0000000007891000-memory.dmp

memory/1320-82-0x00000000078D0000-0x00000000078E4000-memory.dmp

memory/1720-83-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cd2d186edf64b18711d7d593fe32f3a3
SHA1 6d58b24af795391879cf26ab517a7c8dd4755c99
SHA256 6505d966a1976819377fb1d6500f9a678608943fe10da9987fbd4caf8ad50a3f
SHA512 dbf228fcb66371e1a2a9d82fc435d82ee3708242038aab2bc81fabe4b67e0c2d8f1a842c2a2b8018d604d54845a31701dc65fe942ebcb42d9d5af1596d29fc6f

memory/2628-98-0x00000000700C0000-0x0000000070414000-memory.dmp

memory/2628-97-0x000000006FF40000-0x000000006FF8C000-memory.dmp

memory/3132-110-0x0000000006250000-0x00000000065A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3687ddc0bef36351a9ce3bb58a06d2d8
SHA1 ac66fd61b697046ec2f5e8c19b334639b3d243fc
SHA256 fe154667bfdba2c11fefe75f5a97df2cf1d86444c726058b3ce9090f5b109f8b
SHA512 97238997a727d91509e61c2ef103fe2e887c490dd593765ff9e2997d7343a592710b80c7e306b2a32e768c4cc2437bbde6eb5e1c051ce50b4e85677f7558bc46

memory/3132-121-0x000000006FF40000-0x000000006FF8C000-memory.dmp

memory/3132-122-0x00000000706C0000-0x0000000070A14000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0ed8d071deae90ff638cb070d0b9559d
SHA1 9b39b4703ccd78d9ca56bbf2f4c168d71a7bcfda
SHA256 691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99
SHA512 960a5a4e2b4f82bb7273cbab8bf622933c6e603cdc44b59b409c285b62c3a2c741bca7692ed77864520aa95c85a2f3fc31ddc9383caada588828d953346c2729

memory/1720-137-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c457bb89314632b3373ddf5109ffa6b8
SHA1 a75cbdbf014e4dd65fae2eae0541d79bac1c32d3
SHA256 30eb0f15d09247ae398b155683b28f814ccb3b00425361c398024844de42b4d2
SHA512 4bdd4a555b298a46186f6bfd796c1a492d7eb1461e323d6892aabf74ee3fa4ae2cc98b806edc8bb362f4cd2de6c078f8a17b891ff08e0ee9f9a3abd67ef28d5e

memory/4088-150-0x000000006FF40000-0x000000006FF8C000-memory.dmp

memory/4088-151-0x00000000700C0000-0x0000000070414000-memory.dmp

memory/2664-161-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/5096-172-0x0000000005A90000-0x0000000005DE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d5189b5151be2030781549c08a26bc09
SHA1 b3e752d156b8a9fd83f285c2968bcee7cb8037de
SHA256 21c0a080df824b825a083fb4c4b5ae24d25219eb126f64bf88558db556179e92
SHA512 fee128e13f53a8cb3d24469f62b9939b2dc6716ca6cee4165ec2501d103988f6bfba5579f7a89386276d58a17ff52d7ca4d569813e4958a56d99ed49f1d0d705

memory/5096-174-0x00000000061D0000-0x000000000621C000-memory.dmp

memory/5096-176-0x00000000705F0000-0x0000000070944000-memory.dmp

memory/5096-175-0x000000006FE60000-0x000000006FEAC000-memory.dmp

memory/5096-186-0x00000000073D0000-0x0000000007473000-memory.dmp

memory/5096-187-0x00000000076C0000-0x00000000076D1000-memory.dmp

memory/5096-188-0x0000000005F70000-0x0000000005F84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 03a0f4c8eeb930f54603b3c975ffc612
SHA1 fd46cb83b9a55ee91cbbbcb9f31d588b614c2511
SHA256 271087ea93abd0d5ceb7c5bc7b8f8f0defa1dec765333b79c19b096619de0882
SHA512 21b357f1895736f8186483862a2d262b9163574cae0a7df888036b9794eb5ad7a6603d457d60d243be4c3d46c72da4c5dd039ec789a24eb774933e2417701f43

memory/2140-201-0x000000006FE60000-0x000000006FEAC000-memory.dmp

memory/2140-202-0x00000000705F0000-0x0000000070944000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2664-218-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2116-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2116-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2664-227-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4268-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2664-229-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2664-233-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4268-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2664-236-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2664-239-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2664-241-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4268-244-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2664-245-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2664-248-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2664-251-0x0000000000400000-0x0000000002ED5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:34

Reported

2024-05-09 19:36

Platform

win11-20240419-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3556 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\system32\cmd.exe
PID 572 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 568 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 572 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\rss\csrss.exe
PID 572 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\rss\csrss.exe
PID 572 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe C:\Windows\rss\csrss.exe
PID 1864 wrote to memory of 4632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 4632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 4632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 1648 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 1648 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 1648 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1864 wrote to memory of 1564 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1864 wrote to memory of 1564 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1952 wrote to memory of 3144 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 3144 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 3144 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3144 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3144 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe

"C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe

"C:\Users\Admin\AppData\Local\Temp\691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 06869909-4dce-4f44-8d02-0636cb077737.uuid.filesdumpplace.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.filesdumpplace.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server3.filesdumpplace.org tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.96:443 server3.filesdumpplace.org tcp
BG 185.82.216.96:443 server3.filesdumpplace.org tcp

Files

memory/3556-1-0x00000000031E0000-0x00000000035DD000-memory.dmp

memory/3556-2-0x0000000005000000-0x00000000058EB000-memory.dmp

memory/3556-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1720-4-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

memory/1720-5-0x0000000003190000-0x00000000031C6000-memory.dmp

memory/1720-6-0x0000000074BE0000-0x0000000075391000-memory.dmp

memory/1720-7-0x0000000005840000-0x0000000005E6A000-memory.dmp

memory/1720-8-0x0000000074BE0000-0x0000000075391000-memory.dmp

memory/1720-9-0x0000000005770000-0x0000000005792000-memory.dmp

memory/1720-10-0x0000000006060000-0x00000000060C6000-memory.dmp

memory/1720-11-0x00000000060D0000-0x0000000006136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ufa22r3v.xdp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1720-17-0x0000000006140000-0x0000000006497000-memory.dmp

memory/1720-21-0x0000000006640000-0x000000000665E000-memory.dmp

memory/1720-22-0x0000000006660000-0x00000000066AC000-memory.dmp

memory/1720-23-0x0000000006BA0000-0x0000000006BE6000-memory.dmp

memory/1720-25-0x0000000070E50000-0x0000000070E9C000-memory.dmp

memory/1720-24-0x0000000007A30000-0x0000000007A64000-memory.dmp

memory/1720-26-0x0000000071060000-0x00000000713B7000-memory.dmp

memory/1720-35-0x0000000007A90000-0x0000000007AAE000-memory.dmp

memory/1720-36-0x0000000007AB0000-0x0000000007B54000-memory.dmp

memory/1720-38-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

memory/1720-37-0x0000000008220000-0x000000000889A000-memory.dmp

memory/1720-39-0x0000000007C20000-0x0000000007C2A000-memory.dmp

memory/1720-41-0x0000000007D30000-0x0000000007DC6000-memory.dmp

memory/1720-42-0x0000000007C40000-0x0000000007C51000-memory.dmp

memory/3556-40-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1720-43-0x0000000007C90000-0x0000000007C9E000-memory.dmp

memory/1720-44-0x0000000007CA0000-0x0000000007CB5000-memory.dmp

memory/1720-45-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

memory/1720-46-0x0000000007D10000-0x0000000007D18000-memory.dmp

memory/1720-49-0x0000000074BE0000-0x0000000075391000-memory.dmp

memory/3556-52-0x00000000031E0000-0x00000000035DD000-memory.dmp

memory/3556-53-0x0000000005000000-0x00000000058EB000-memory.dmp

memory/3556-51-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/572-54-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1636-55-0x0000000005B10000-0x0000000005E67000-memory.dmp

memory/1636-65-0x00000000710A0000-0x00000000713F7000-memory.dmp

memory/1636-64-0x0000000070E50000-0x0000000070E9C000-memory.dmp

memory/1636-74-0x0000000007240000-0x00000000072E4000-memory.dmp

memory/1636-75-0x0000000007590000-0x00000000075A1000-memory.dmp

memory/3556-76-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1636-77-0x00000000075E0000-0x00000000075F5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/3296-89-0x0000000005E30000-0x0000000006187000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2db87365ff239c44c5ebf324bc8f3aa0
SHA1 6d57489eb145e0a4e17723d6270135e3697b3c78
SHA256 d21730381ada07eae18b900f22bf072c5679f234b6c2ef2e1e22247dbccbed12
SHA512 3f825fe27bb2f9d309fd0d4489afc059990c7050e79b504640a67d8473549cfa0338f922f03a61ef36bcff1ed51aff5263cb43293675e9f7adf7e0b47dd6a125

memory/3296-91-0x0000000070E50000-0x0000000070E9C000-memory.dmp

memory/3296-92-0x0000000070FD0000-0x0000000071327000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2c48a2a76cd57376b75621d291be2fd3
SHA1 57797530eaf2a0ce1164a0dc9843e6b818376179
SHA256 bd5b6cf21d3602b33429ba91788a12f2e381dcb761eb7809c469370fcbb06540
SHA512 8cfc891e5ad8e015a5a55f5528800eb9c96391b0127e00cc14098db84ca3e95c070909e8931167ecce7fcb0b0b06a72b768f7f26921abc1c0f66eb8037762123

memory/3840-113-0x0000000070FD0000-0x0000000071327000-memory.dmp

memory/3840-112-0x0000000070E50000-0x0000000070E9C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0ed8d071deae90ff638cb070d0b9559d
SHA1 9b39b4703ccd78d9ca56bbf2f4c168d71a7bcfda
SHA256 691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99
SHA512 960a5a4e2b4f82bb7273cbab8bf622933c6e603cdc44b59b409c285b62c3a2c741bca7692ed77864520aa95c85a2f3fc31ddc9383caada588828d953346c2729

memory/572-128-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e997490ec52b1d573e26fbb57e6985a3
SHA1 8fe37a11de7bd9de9b23a6c2913d40f344fcffe8
SHA256 73ae26031ecaa1dd566b695041bd599650913efcd7c19090006c8cfb72ae978b
SHA512 22b0a1f91586039d715363414a03a8d4ff5c44c1e41dc49693b7393642eb1291a70aecf2736d72850452ad5ada740cc4392ce8ed79b94ccb6c32925cc9f31f72

memory/4632-140-0x0000000070E50000-0x0000000070E9C000-memory.dmp

memory/4632-141-0x0000000071060000-0x00000000713B7000-memory.dmp

memory/4480-159-0x0000000006130000-0x0000000006487000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3bec18afb6dffcc3947b90000c31caea
SHA1 f211c28bdc089b73f2263f963bc905ac273632ff
SHA256 842a9cd4b766034d5f53d25a332cf707b5408ead3c74f724bead75158566cf86
SHA512 a99fd0b069a4c58ec9fa8191a15ab5992bcb24bb8ba3c97941748b828722cb1118be37f4724c0dc13ded542e2d6f1a2bdcb4a81b3edf06ce5cb462f38bd87834

memory/4480-161-0x0000000006AA0000-0x0000000006AEC000-memory.dmp

memory/4480-162-0x0000000070D70000-0x0000000070DBC000-memory.dmp

memory/4480-163-0x0000000070EF0000-0x0000000071247000-memory.dmp

memory/4480-172-0x00000000077D0000-0x0000000007874000-memory.dmp

memory/4480-174-0x0000000005F70000-0x0000000005F81000-memory.dmp

memory/4480-175-0x0000000005FB0000-0x0000000005FC5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c1e9618adf8f3dd43e470a321f3782ce
SHA1 36a768bd6c83b940db597e4851fa9260dc39fbc6
SHA256 3cb6c47490d49f716717d82299221869e7b1f6ef5a84752cc6cdb4e35a97d497
SHA512 5370e7efe238afe3d66c691e70668f75e5316eac793c3c952fa789d9ddc14095e7dcece366a279f67b87da44953e6cf220626c9ef9758aadb249881679099b37

memory/1648-186-0x0000000070D70000-0x0000000070DBC000-memory.dmp

memory/1648-187-0x0000000070EF0000-0x0000000071247000-memory.dmp

memory/1864-197-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1952-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1864-209-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1740-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1952-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1864-217-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1740-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1864-221-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1740-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1864-225-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1864-229-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1864-233-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1864-237-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1740-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1864-241-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1864-245-0x0000000000400000-0x0000000002ED5000-memory.dmp