Malware Analysis Report

2025-01-02 06:42

Sample ID 240515-3hybashg31
Target afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c
SHA256 afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c

Threat Level: Known bad

The file afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:31

Reported

2024-05-15 23:34

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3308 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3308 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3308 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3428 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3428 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3428 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3428 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\system32\cmd.exe
PID 3428 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\system32\cmd.exe
PID 3648 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3648 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3428 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3428 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3428 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3428 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3428 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3428 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3428 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\rss\csrss.exe
PID 3428 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\rss\csrss.exe
PID 3428 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\rss\csrss.exe
PID 2944 wrote to memory of 4724 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 4724 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 4724 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 4796 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 4796 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 4796 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 1636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 1636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 1636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 1980 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2944 wrote to memory of 1980 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4876 wrote to memory of 4156 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4156 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4156 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4156 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4156 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4156 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe

"C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe

"C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 573eb998-97f1-4a55-b06b-9a2e43d203d5.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server1.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.108:443 server1.databaseupgrade.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
BG 185.82.216.108:443 server1.databaseupgrade.ru tcp

Files

memory/3308-1-0x0000000004640000-0x0000000004A42000-memory.dmp

memory/3308-2-0x0000000004B50000-0x000000000543B000-memory.dmp

memory/3308-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1208-4-0x00000000747DE000-0x00000000747DF000-memory.dmp

memory/1208-5-0x0000000005400000-0x0000000005436000-memory.dmp

memory/1208-6-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/1208-7-0x0000000005A70000-0x0000000006098000-memory.dmp

memory/1208-8-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/1208-9-0x00000000059F0000-0x0000000005A12000-memory.dmp

memory/1208-10-0x00000000062D0000-0x0000000006336000-memory.dmp

memory/1208-11-0x0000000006340000-0x00000000063A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ska4nsgc.jiz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1208-21-0x00000000064B0000-0x0000000006804000-memory.dmp

memory/1208-22-0x0000000006950000-0x000000000696E000-memory.dmp

memory/1208-23-0x00000000069B0000-0x00000000069FC000-memory.dmp

memory/1208-24-0x0000000007AF0000-0x0000000007B34000-memory.dmp

memory/1208-25-0x0000000007CB0000-0x0000000007D26000-memory.dmp

memory/1208-26-0x00000000083B0000-0x0000000008A2A000-memory.dmp

memory/1208-27-0x0000000007D50000-0x0000000007D6A000-memory.dmp

memory/1208-29-0x0000000007F00000-0x0000000007F32000-memory.dmp

memory/1208-42-0x0000000007F60000-0x0000000008003000-memory.dmp

memory/3308-28-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1208-43-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/1208-41-0x0000000007F40000-0x0000000007F5E000-memory.dmp

memory/1208-31-0x00000000707F0000-0x0000000070B44000-memory.dmp

memory/1208-44-0x0000000008050000-0x000000000805A000-memory.dmp

memory/1208-30-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/1208-45-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/1208-46-0x0000000008100000-0x0000000008196000-memory.dmp

memory/1208-47-0x00000000080C0000-0x00000000080D1000-memory.dmp

memory/1208-48-0x0000000008040000-0x000000000804E000-memory.dmp

memory/1208-49-0x00000000080E0000-0x00000000080F4000-memory.dmp

memory/1208-50-0x00000000081C0000-0x00000000081DA000-memory.dmp

memory/1208-51-0x00000000081B0000-0x00000000081B8000-memory.dmp

memory/1208-54-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/3308-57-0x0000000004640000-0x0000000004A42000-memory.dmp

memory/3308-58-0x0000000004B50000-0x000000000543B000-memory.dmp

memory/3308-56-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1924-68-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/1924-69-0x00000000707F0000-0x0000000070B44000-memory.dmp

memory/1924-79-0x0000000006CE0000-0x0000000006D83000-memory.dmp

memory/1924-80-0x0000000007010000-0x0000000007021000-memory.dmp

memory/1924-82-0x0000000007060000-0x0000000007074000-memory.dmp

memory/3308-83-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3428-81-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4224-92-0x00000000055A0000-0x00000000058F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 579ce1cf3d86e8c6bc4e25de304542a7
SHA1 70f9ccab701999ed276ce7ed70b05caae5ebf595
SHA256 95a2358886831ef6121e2a649e10201be928be494e556d0284b63eb5d6221069
SHA512 2b05fa4511e1871675b611d07fe6bc7a6e19416b40429a119a386ace9e44091dab3b551e15bc5128c78d882b9189cbd993826f855ce0489d06248e68895c86a2

memory/4224-98-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/4224-99-0x0000000070DF0000-0x0000000071144000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8f1d18bb4a14cae156b0be8874fec498
SHA1 9d84ad72bab906b1cfc83e8cd7a664dffcf9c903
SHA256 84c74d42b713daf179b5e683f92be8aeef1028d37fb9bd3de8e1af639b1ad0b6
SHA512 31269dc97756b0b16a63e8bf3a6752457c0825048df2b7b8132973576d02a5ca20605bd5110a8ef8ba518d4ec3cf862c1ff326713ac2a41108314593774ab809

memory/4372-121-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/4372-122-0x0000000070DF0000-0x0000000071144000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f69757fce122491e1758c6b6455f201a
SHA1 799a0b597ab5b1f65268ff3ecfd5f221fc236853
SHA256 afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c
SHA512 e6e52c1147ac6c81e97d414d9f4da3c2e688290f348ec610dad82bd68a1d87a688eb1191d6cc8de9360dd068813eb9c1ae3287df7d9da295148fef7264185190

memory/3428-136-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e908686e25469bdbf6b252ccd1ac1e1d
SHA1 e6e6770bd5462abc764d2d16cad4d6fa56c2d847
SHA256 5e7d733174c1fbbe753e49cd51370bc7c8809e041355d3e721705dcd217655da
SHA512 b7198ec30a76dbfe5a61688c4c1c3d8b0ee31a319d755b9f15a4500b8884a625faf5e344c341a7e2fdafd8ebc1cd90d78655b1878477f9a78ad7342995185b7b

memory/4724-150-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/4724-151-0x00000000707F0000-0x0000000070B44000-memory.dmp

memory/4796-167-0x0000000006190000-0x00000000064E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bc9633b87587d3a9bc82bbd23d136d26
SHA1 f920a628aa6dd6981c05d1750788508fd0a743f5
SHA256 da324a8c462563b47728e9cbebb0571690898171a02add6a64fc2209f5c9244b
SHA512 711420f0d87fddeb3a667d7476b8cdad7a2a74f37ea49d73bcfee346cef821a3550cbf0f9a50c620ce8b48a2c2318f2a695c6199e65fee46ec7f17c6e2baf4f1

memory/4796-173-0x0000000006D80000-0x0000000006DCC000-memory.dmp

memory/2944-174-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4796-175-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/4796-176-0x0000000070D20000-0x0000000071074000-memory.dmp

memory/4796-186-0x0000000007AB0000-0x0000000007B53000-memory.dmp

memory/4796-187-0x0000000006600000-0x0000000006611000-memory.dmp

memory/4796-188-0x0000000006640000-0x0000000006654000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d22156401d46315f7dfb8c4c3022214c
SHA1 d1c111a660ba725a55698a125135d607af043be1
SHA256 9eb0205d5db79d134e6be896e502b0d4f1da80825132ade31d4f31ebff229081
SHA512 5ff55f075da1f17d5849e68deb150affd97217ea159ee97bbb2ed0dc1307369b346c2712bf9f1f23495309612a4af4270220cb09ef9919b9439fd2b547727566

memory/1636-200-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/1636-201-0x0000000070D20000-0x0000000071074000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2944-218-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4876-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2764-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4876-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2944-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2764-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2944-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2944-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2764-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2944-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2944-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2944-243-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2944-246-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2944-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2944-252-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:31

Reported

2024-05-15 23:34

Platform

win11-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 336 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 336 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 336 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\system32\cmd.exe
PID 2220 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2220 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 928 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\rss\csrss.exe
PID 928 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\rss\csrss.exe
PID 928 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe C:\Windows\rss\csrss.exe
PID 804 wrote to memory of 4936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 804 wrote to memory of 4936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 804 wrote to memory of 4936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 804 wrote to memory of 3316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 804 wrote to memory of 3316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 804 wrote to memory of 3316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 804 wrote to memory of 5100 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 804 wrote to memory of 5100 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 804 wrote to memory of 5100 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 804 wrote to memory of 4576 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 804 wrote to memory of 4576 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2820 wrote to memory of 2832 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2832 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2832 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2832 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2832 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe

"C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe

"C:\Users\Admin\AppData\Local\Temp\afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 d32c1e16-e3fa-4fb3-ac30-5200bd72f073.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 server15.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.108:443 server15.databaseupgrade.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server15.databaseupgrade.ru tcp

Files

memory/336-1-0x0000000004880000-0x0000000004C7A000-memory.dmp

memory/336-2-0x0000000004C80000-0x000000000556B000-memory.dmp

memory/336-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3780-4-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

memory/3780-5-0x0000000005470000-0x00000000054A6000-memory.dmp

memory/3780-7-0x0000000074B30000-0x00000000752E1000-memory.dmp

memory/3780-6-0x0000000005B20000-0x000000000614A000-memory.dmp

memory/3780-8-0x0000000074B30000-0x00000000752E1000-memory.dmp

memory/3780-9-0x00000000061C0000-0x00000000061E2000-memory.dmp

memory/3780-10-0x0000000006360000-0x00000000063C6000-memory.dmp

memory/3780-11-0x00000000063D0000-0x0000000006436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y4iz3n34.usi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3780-20-0x0000000006440000-0x0000000006797000-memory.dmp

memory/3780-21-0x0000000006900000-0x000000000691E000-memory.dmp

memory/3780-22-0x0000000006940000-0x000000000698C000-memory.dmp

memory/3780-23-0x0000000006ED0000-0x0000000006F16000-memory.dmp

memory/3780-35-0x0000000007D80000-0x0000000007D9E000-memory.dmp

memory/3780-37-0x0000000007DA0000-0x0000000007E44000-memory.dmp

memory/3780-36-0x0000000074B30000-0x00000000752E1000-memory.dmp

memory/3780-26-0x0000000070F20000-0x0000000071277000-memory.dmp

memory/3780-25-0x0000000070DA0000-0x0000000070DEC000-memory.dmp

memory/3780-24-0x0000000007D40000-0x0000000007D74000-memory.dmp

memory/3780-38-0x0000000074B30000-0x00000000752E1000-memory.dmp

memory/3780-40-0x0000000007ED0000-0x0000000007EEA000-memory.dmp

memory/3780-39-0x0000000008510000-0x0000000008B8A000-memory.dmp

memory/3780-41-0x0000000007F10000-0x0000000007F1A000-memory.dmp

memory/3780-42-0x0000000008020000-0x00000000080B6000-memory.dmp

memory/3780-43-0x0000000007F30000-0x0000000007F41000-memory.dmp

memory/3780-44-0x0000000007F80000-0x0000000007F8E000-memory.dmp

memory/3780-45-0x0000000007F90000-0x0000000007FA5000-memory.dmp

memory/3780-46-0x0000000007FE0000-0x0000000007FFA000-memory.dmp

memory/3780-47-0x0000000008000000-0x0000000008008000-memory.dmp

memory/3780-50-0x0000000074B30000-0x00000000752E1000-memory.dmp

memory/336-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/684-61-0x0000000005EF0000-0x0000000006247000-memory.dmp

memory/336-63-0x0000000004C80000-0x000000000556B000-memory.dmp

memory/336-62-0x0000000004880000-0x0000000004C7A000-memory.dmp

memory/684-65-0x0000000070F40000-0x0000000071297000-memory.dmp

memory/684-74-0x00000000076A0000-0x0000000007744000-memory.dmp

memory/684-64-0x0000000070DA0000-0x0000000070DEC000-memory.dmp

memory/684-75-0x00000000079E0000-0x00000000079F1000-memory.dmp

memory/684-76-0x0000000007A30000-0x0000000007A45000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2380-88-0x0000000005E80000-0x00000000061D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8579cf9eabf1653b0efcce8a8d9a8f9a
SHA1 5a61f9c6d34729c0ec2e84990a69c1a6e366d69b
SHA256 7aab2b973741bf528b9b524efc58f3755b91ab9f7e600089ef26a990332f5a64
SHA512 d182227d445e3cff8ec90cda172df2e5264ff9bb42f509753a4e08dff5a1dc16632f493106226af1c2798281522ce3482fe6e65ae6aa75a3450fbdf07bd2fe90

memory/2380-90-0x0000000070DA0000-0x0000000070DEC000-memory.dmp

memory/2380-91-0x0000000070FB0000-0x0000000071307000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 88b8c9700c86ec8d319b532a8eeb9a13
SHA1 02509d9df6f4532bbc371e6df0dbacab3f51c8bc
SHA256 08f2989c81a4c7ca22a6a6cf0091a3a33d428194cbbf5e32c336860f2c360538
SHA512 e52cd9215fd57d4ab7483d403c0424495fc29f46cdd8d6c3ad89689ee0e6e249f15423eb4fc8f48924012125e12bf39ea5edeff11cff9b140793b4aa604e04d5

memory/2176-111-0x0000000070F40000-0x0000000071297000-memory.dmp

memory/2176-110-0x0000000070DA0000-0x0000000070DEC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f69757fce122491e1758c6b6455f201a
SHA1 799a0b597ab5b1f65268ff3ecfd5f221fc236853
SHA256 afa534224d1969fbab79ecd20e489be991e9401d2376bb5d2748d345797e9c7c
SHA512 e6e52c1147ac6c81e97d414d9f4da3c2e688290f348ec610dad82bd68a1d87a688eb1191d6cc8de9360dd068813eb9c1ae3287df7d9da295148fef7264185190

memory/336-127-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/928-126-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cc433793199d11e968c36c9b1f075ed5
SHA1 6e7df2d461a50359ccc3ce763b13547e5e220eea
SHA256 b6aef81c78b9ea910ed961751f0e48e34b765e1ab41f5b57ff924a3612bc25dc
SHA512 e5bfb48b64bb0515ed44d5e38dc18d6217ee957783ba3148b59705ca56acc11e42a8f5b2367d4d6f5231e0bbaee2702eae01a0c62bd9fdbbedc50af622e7e168

memory/4936-137-0x0000000005B40000-0x0000000005E97000-memory.dmp

memory/4936-140-0x0000000070FD0000-0x0000000071327000-memory.dmp

memory/4936-139-0x0000000070DA0000-0x0000000070DEC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 625ccb8e7c8af80d2a6daec0157f6dc6
SHA1 ee2f7d2cc0bcc8c9b26824373a9977e5cd8f67be
SHA256 6c7ad5a2b06fc85b21dcf5cc41d5b50b2b29f2ae12c77c596109c09812f7a293
SHA512 c9d44168a539cd6b6d9feec6dfdda2dc12519ad2d826dce1c7c893610cdd383c6681f3d719ae9ba8af03f9bcb0c4f92f45116f642e1dd95bd4beca2412473a4a

memory/3316-158-0x0000000005AF0000-0x0000000005E47000-memory.dmp

memory/3316-160-0x0000000006240000-0x000000000628C000-memory.dmp

memory/3316-171-0x00000000071B0000-0x0000000007254000-memory.dmp

memory/3316-162-0x0000000070E40000-0x0000000071197000-memory.dmp

memory/3316-161-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/3316-172-0x00000000074E0000-0x00000000074F1000-memory.dmp

memory/3316-173-0x0000000005970000-0x0000000005985000-memory.dmp

memory/5100-180-0x0000000006170000-0x00000000064C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e13aaba6d55402649f4450c2320b5274
SHA1 5eced9d9b14e15689afc0299989263e86185b594
SHA256 fc2db17e32584b99edabc8229154aff86ccbcc743a3cda9385bb87f151202df0
SHA512 ae1de13fe9312f732d32f8e17a402f253c8cd4894d2937b90c7309590fb0b7aa522fab8808a66f526d87f8545ef97a840db7e568b1b3d7034cd28a7566d4506d

memory/5100-185-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/5100-186-0x0000000070F10000-0x0000000071267000-memory.dmp

memory/804-196-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2820-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2820-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/804-208-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1868-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/804-216-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1868-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/804-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1868-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/804-225-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/804-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/804-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/804-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/804-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/804-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/804-248-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/804-252-0x0000000000400000-0x0000000002B0B000-memory.dmp