Malware Analysis Report

2025-01-02 06:36

Sample ID 240515-3gz4hahf7w
Target 270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab
SHA256 270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab

Threat Level: Known bad

The file 270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:29

Reported

2024-05-15 23:32

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1492 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\system32\cmd.exe
PID 1612 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\system32\cmd.exe
PID 3244 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3244 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1612 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\rss\csrss.exe
PID 1612 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\rss\csrss.exe
PID 1612 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\rss\csrss.exe
PID 2968 wrote to memory of 4884 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 4884 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 4884 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 1524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 1524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 1524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 3636 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2968 wrote to memory of 3636 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4808 wrote to memory of 1368 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 1368 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 1368 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1368 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1368 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe

"C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe

"C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 219.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0c534bc2-67ff-4664-8b54-0e72e7973adc.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server1.thestatsfiles.ru udp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp

Files

memory/1492-1-0x00000000047C0000-0x0000000004BC5000-memory.dmp

memory/1492-2-0x0000000004BD0000-0x00000000054BB000-memory.dmp

memory/1492-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5088-4-0x00000000748EE000-0x00000000748EF000-memory.dmp

memory/5088-5-0x0000000003310000-0x0000000003346000-memory.dmp

memory/5088-6-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/5088-7-0x0000000005B80000-0x00000000061A8000-memory.dmp

memory/5088-8-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/1492-9-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5088-10-0x0000000005A50000-0x0000000005A72000-memory.dmp

memory/5088-11-0x0000000005AF0000-0x0000000005B56000-memory.dmp

memory/5088-12-0x00000000061B0000-0x0000000006216000-memory.dmp

memory/5088-13-0x0000000006220000-0x0000000006574000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3mkeit2.3sg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5088-23-0x0000000006900000-0x000000000691E000-memory.dmp

memory/5088-24-0x0000000006940000-0x000000000698C000-memory.dmp

memory/5088-25-0x0000000006EC0000-0x0000000006F04000-memory.dmp

memory/5088-26-0x0000000007C10000-0x0000000007C86000-memory.dmp

memory/5088-27-0x0000000008310000-0x000000000898A000-memory.dmp

memory/5088-28-0x0000000007CB0000-0x0000000007CCA000-memory.dmp

memory/5088-30-0x0000000070780000-0x00000000707CC000-memory.dmp

memory/5088-31-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/5088-29-0x0000000007E60000-0x0000000007E92000-memory.dmp

memory/5088-32-0x0000000070F20000-0x0000000071274000-memory.dmp

memory/5088-42-0x0000000007EA0000-0x0000000007EBE000-memory.dmp

memory/5088-43-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/5088-44-0x0000000007EC0000-0x0000000007F63000-memory.dmp

memory/5088-45-0x0000000007FB0000-0x0000000007FBA000-memory.dmp

memory/5088-46-0x00000000080D0000-0x0000000008166000-memory.dmp

memory/5088-47-0x0000000007FD0000-0x0000000007FE1000-memory.dmp

memory/5088-48-0x0000000008010000-0x000000000801E000-memory.dmp

memory/5088-49-0x0000000008030000-0x0000000008044000-memory.dmp

memory/5088-50-0x0000000008070000-0x000000000808A000-memory.dmp

memory/5088-51-0x0000000008060000-0x0000000008068000-memory.dmp

memory/5088-54-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/1492-57-0x00000000047C0000-0x0000000004BC5000-memory.dmp

memory/1492-58-0x0000000004BD0000-0x00000000054BB000-memory.dmp

memory/1492-56-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1492-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1052-69-0x0000000005B40000-0x0000000005E94000-memory.dmp

memory/1052-70-0x0000000070780000-0x00000000707CC000-memory.dmp

memory/1052-71-0x0000000070900000-0x0000000070C54000-memory.dmp

memory/1052-81-0x00000000072A0000-0x0000000007343000-memory.dmp

memory/1052-82-0x00000000075C0000-0x00000000075D1000-memory.dmp

memory/1052-83-0x0000000007610000-0x0000000007624000-memory.dmp

memory/1612-84-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 da7a8ae16066ce8d0dc27bde9e49ba62
SHA1 9028705e5cf5ae0a10a92b91c424e585369af0f3
SHA256 4388f34c92a5b629fa56038184fc95a47f2dc3ae55a311d85038f8652ef5a9f6
SHA512 f853e9b69bcd3afc3e18b94ae5dd80ed9ee011fe06bbde88da38d9ff81b1e00f6d59df11e19c0195b596a337e80948580b069474df012334fa76736fb641b9eb

memory/4484-98-0x0000000070780000-0x00000000707CC000-memory.dmp

memory/4484-99-0x0000000070900000-0x0000000070C54000-memory.dmp

memory/2520-111-0x0000000005BF0000-0x0000000005F44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 492368fbf99b57da984800fc2c6607cf
SHA1 2b0888314c4c6f9b1c0e320206a22dca9b249ac1
SHA256 b46fc83e708f7dbd836eadd0e85cc92100b7bd6baf1ef1c788e26851aa5cc6f0
SHA512 0a78a7aa7848bdc87600411b2bb652a6b388f6bcd52cc09657aa0b456e5857e9aaab4e25a3da9778ea764b70bf11985191a3ac065ff60fed8b5c5cb7d5d4d838

memory/2520-122-0x0000000070780000-0x00000000707CC000-memory.dmp

memory/2520-123-0x0000000070F00000-0x0000000071254000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 faf63e3a8ca69c6915f26a14fac35100
SHA1 2bec65a43fbfecf74a51e2e1192164014f37e817
SHA256 270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab
SHA512 b3e92130187cf010687b11e2db3e3703d19876f5147faa2f7a56bd3da076d86093dc8828949c36dd1e275b2a07bbdf0c2ac3fe69ee21f69b92da4338e122f729

memory/1612-139-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1a27dd2b07b6a41c634a83600a2af95c
SHA1 2118751e1c598e71fbadb8f54cb882211069cd48
SHA256 38ab364ec1c0406fb041d51822f166f474019988547a975459f994651a95ad1a
SHA512 c981b500842a8b0a64403d23f250c8a9ea3aedae81b71e85a5532fb3108819c999b2e5e5737976346b842f7fd0d4c3ff09177b0fb71ac11152810318fb8e9119

memory/4884-151-0x0000000070780000-0x00000000707CC000-memory.dmp

memory/4884-152-0x0000000070F00000-0x0000000071254000-memory.dmp

memory/1524-170-0x0000000005B30000-0x0000000005E84000-memory.dmp

memory/2968-174-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 03cb313eb905d70c97b3ebea7577959a
SHA1 176db37d92e8f052cb99602e9cd6698ce05ee86d
SHA256 cf33f932ddf40cd8d60b3a15b5e0328132293dbd5519747fdf999a24fe929815
SHA512 8bdaf9050a19f93a6107113a30a8bf6576f6ece87ffcfe9fd8c2a8dc2d5690acd8c9335a3d9a3d0245123a28e45796724042b9a75ebf286327519cfbd88ae2b7

memory/1524-176-0x00000000065B0000-0x00000000065FC000-memory.dmp

memory/1524-177-0x00000000706A0000-0x00000000706EC000-memory.dmp

memory/1524-178-0x0000000070E30000-0x0000000071184000-memory.dmp

memory/1524-188-0x0000000007440000-0x00000000074E3000-memory.dmp

memory/1524-189-0x00000000077A0000-0x00000000077B1000-memory.dmp

memory/1524-190-0x0000000005FE0000-0x0000000005FF4000-memory.dmp

memory/956-201-0x0000000006380000-0x00000000066D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ed3a5a3dd0bf2d5b2544b182844ee853
SHA1 4c8f2c1c7e7adde6426fea715d279ae3f1e0ba25
SHA256 680edd10e9d171b842e8eaf63693a724fddcdeddc04ee4a15c76851f5b0d9527
SHA512 51458188288aadf1d1403ad2350d4750a12d908f71d7f9ebf9d4c8bf48859ef3a6285210e4eb4c1cff29078e0b11842bc41af2abf7b4067ac86bd4bb337aaee3

memory/956-204-0x00000000706A0000-0x00000000706EC000-memory.dmp

memory/956-205-0x0000000070820000-0x0000000070B74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2968-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4808-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3212-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4808-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2968-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3212-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2968-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2968-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3212-244-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2968-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2968-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2968-252-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2968-256-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2968-261-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2968-265-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:29

Reported

2024-05-15 23:32

Platform

win11-20240426-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\system32\cmd.exe
PID 4176 wrote to memory of 416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4176 wrote to memory of 416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1468 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\rss\csrss.exe
PID 1468 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\rss\csrss.exe
PID 1468 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe C:\Windows\rss\csrss.exe
PID 2252 wrote to memory of 4696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2252 wrote to memory of 4696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2252 wrote to memory of 4696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2252 wrote to memory of 1004 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2252 wrote to memory of 1004 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2252 wrote to memory of 1004 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2252 wrote to memory of 5116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2252 wrote to memory of 5116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2252 wrote to memory of 5116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2252 wrote to memory of 2224 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2252 wrote to memory of 2224 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5056 wrote to memory of 4864 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 4864 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 4864 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4864 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4864 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe

"C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe

"C:\Users\Admin\AppData\Local\Temp\270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 63768cad-8309-4c65-a9f7-33a24a83ad1d.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server11.thestatsfiles.ru udp
US 74.125.250.129:19302 stun2.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server11.thestatsfiles.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.96:443 server11.thestatsfiles.ru tcp

Files

memory/1340-1-0x0000000004A20000-0x0000000004E28000-memory.dmp

memory/1340-2-0x0000000004E30000-0x000000000571B000-memory.dmp

memory/1340-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2848-4-0x00000000741FE000-0x00000000741FF000-memory.dmp

memory/2848-5-0x00000000025A0000-0x00000000025D6000-memory.dmp

memory/2848-6-0x0000000004D70000-0x000000000539A000-memory.dmp

memory/2848-7-0x00000000741F0000-0x00000000749A1000-memory.dmp

memory/2848-8-0x00000000741F0000-0x00000000749A1000-memory.dmp

memory/2848-9-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

memory/2848-10-0x00000000053A0000-0x0000000005406000-memory.dmp

memory/2848-11-0x0000000005510000-0x0000000005576000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ltpnrmor.ymb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2848-20-0x0000000005580000-0x00000000058D7000-memory.dmp

memory/2848-21-0x0000000005A70000-0x0000000005A8E000-memory.dmp

memory/2848-22-0x0000000005AA0000-0x0000000005AEC000-memory.dmp

memory/2848-23-0x0000000005F60000-0x0000000005FA6000-memory.dmp

memory/2848-36-0x0000000006EE0000-0x0000000006EFE000-memory.dmp

memory/2848-37-0x0000000006F00000-0x0000000006FA4000-memory.dmp

memory/2848-27-0x0000000070670000-0x00000000709C7000-memory.dmp

memory/2848-26-0x00000000741F0000-0x00000000749A1000-memory.dmp

memory/2848-38-0x00000000741F0000-0x00000000749A1000-memory.dmp

memory/2848-25-0x0000000070460000-0x00000000704AC000-memory.dmp

memory/2848-24-0x0000000006EA0000-0x0000000006ED4000-memory.dmp

memory/2848-40-0x0000000007020000-0x000000000703A000-memory.dmp

memory/2848-39-0x0000000007670000-0x0000000007CEA000-memory.dmp

memory/2848-41-0x0000000007060000-0x000000000706A000-memory.dmp

memory/2848-42-0x0000000007170000-0x0000000007206000-memory.dmp

memory/2848-43-0x0000000007080000-0x0000000007091000-memory.dmp

memory/2848-44-0x00000000070D0000-0x00000000070DE000-memory.dmp

memory/2848-46-0x0000000007130000-0x000000000714A000-memory.dmp

memory/2848-45-0x00000000070E0000-0x00000000070F5000-memory.dmp

memory/2848-47-0x0000000007150000-0x0000000007158000-memory.dmp

memory/2848-50-0x00000000741F0000-0x00000000749A1000-memory.dmp

memory/1340-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/948-61-0x0000000005550000-0x00000000058A7000-memory.dmp

memory/1340-62-0x0000000004A20000-0x0000000004E28000-memory.dmp

memory/1340-63-0x0000000004E30000-0x000000000571B000-memory.dmp

memory/948-65-0x0000000070690000-0x00000000709E7000-memory.dmp

memory/948-64-0x0000000070460000-0x00000000704AC000-memory.dmp

memory/948-74-0x0000000006CD0000-0x0000000006D74000-memory.dmp

memory/948-75-0x0000000006FF0000-0x0000000007001000-memory.dmp

memory/948-76-0x0000000007040000-0x0000000007055000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/1912-89-0x0000000005810000-0x0000000005B67000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 94da9ef44b612a8e102f0a61e17487ae
SHA1 56ab79aaf3e7038411b0ddb75636c047707dc41a
SHA256 568357aff340b5acb5fc411996809e364c4789e08dabd7a211f5784e8e3336b2
SHA512 675dc424eb3793dd5e0bfeec98931534062979e46ef30c85b7696b36bbe4be689fa69f85841e515f98e61dc9e67f0cf997420ae4955fd35b94ebcd79ef1f7759

memory/1912-91-0x00000000705E0000-0x0000000070937000-memory.dmp

memory/1912-90-0x0000000070460000-0x00000000704AC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 732c03ae4560fbd337fa1510570c36a1
SHA1 4343b66c2a70671b44ab53e5bf4a6e0b6217291e
SHA256 70dcef509de4752d910449818d2d755d11b5482ecb5baa260404a7e0b208003e
SHA512 7c459c62ff7c413ea47b03ea2f54ac74851c43e9fcad7308b0d6ec8f558df4d3ecf190a35fe416fb3eab95b57d951eb6b03bfe369ed6aa419179425f4f1fefa3

memory/3740-110-0x0000000070460000-0x00000000704AC000-memory.dmp

memory/3740-111-0x00000000705E0000-0x0000000070937000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 faf63e3a8ca69c6915f26a14fac35100
SHA1 2bec65a43fbfecf74a51e2e1192164014f37e817
SHA256 270b65f0490d7874b071522f57305e77167b8e7e24caa7e987747c6910e191ab
SHA512 b3e92130187cf010687b11e2db3e3703d19876f5147faa2f7a56bd3da076d86093dc8828949c36dd1e275b2a07bbdf0c2ac3fe69ee21f69b92da4338e122f729

memory/1340-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1468-127-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 723e4b0b375e8e52ac7476cf6d03bf37
SHA1 570635f8c3f7d316e05a67a96213f63379665a93
SHA256 96a944c2be370c7fe86aee984895ce312720ce027d0e31a8dd7fbb02b5da48a8
SHA512 debc1b4e805deec218e75da9b629ac2c3c6ee1db9cb8b6eaedf4f7123aa140799d2b013d65c56ee354f6326d2d768f1d301b17aa291027cd40be0f767c7c23fa

memory/4696-138-0x0000000070460000-0x00000000704AC000-memory.dmp

memory/4696-139-0x00000000705E0000-0x0000000070937000-memory.dmp

memory/1004-154-0x0000000006020000-0x0000000006377000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a9c094af682cfc469c4606b0cedd75e9
SHA1 8241a368fc6c2ccdf98b3de1e7fb3da906d2aa94
SHA256 17307a0504d6923ae8664c09049db8bd74de94dc43955f89c291cc8b79b76479
SHA512 ee547dae29d35cab6d0474d6fe7303be515119468295ffd21e9abcb0537bc13c85ad9e2298682648ecd2fe3fb2497e3fc90ab9831c5d2486e11ccde5beda3cd4

memory/1004-159-0x0000000006B50000-0x0000000006B9C000-memory.dmp

memory/1004-160-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/1004-161-0x00000000705D0000-0x0000000070927000-memory.dmp

memory/1004-170-0x0000000007850000-0x00000000078F4000-memory.dmp

memory/1004-171-0x0000000007A20000-0x0000000007A31000-memory.dmp

memory/1004-172-0x00000000063E0000-0x00000000063F5000-memory.dmp

memory/5116-182-0x0000000006140000-0x0000000006497000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ad003f3f3818b17c3f9d5879b5fb7e9a
SHA1 456d6989ea27c4ea88bd06752dc9528e93cbd8e8
SHA256 54eed9dbbb913c433bee9ea962d08f7c2fda496226916d9351501a4b42f5effc
SHA512 8be2ead6559348542e7eeac61c325779e0ea85407f290d152cafa567de172698df713aeadd7447060d98d54b92ad53adb5a87253a52039bce486253827071e54

memory/5116-184-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/5116-185-0x0000000070590000-0x00000000708E7000-memory.dmp

memory/2252-197-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5056-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2296-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5056-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2252-214-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2296-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2252-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2252-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2296-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2252-225-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2252-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2252-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2252-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2252-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2252-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2252-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2252-254-0x0000000000400000-0x0000000002B0B000-memory.dmp