Malware Analysis Report

2025-01-02 06:38

Sample ID 240515-3knvmshh3w
Target 9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf
SHA256 9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf

Threat Level: Known bad

The file 9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:34

Reported

2024-05-15 23:37

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\system32\cmd.exe
PID 2256 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\system32\cmd.exe
PID 1856 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1856 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2256 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\rss\csrss.exe
PID 2256 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\rss\csrss.exe
PID 2256 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\rss\csrss.exe
PID 4264 wrote to memory of 4168 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 4168 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 4168 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 5052 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 5052 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 5052 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 4484 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 4484 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 4484 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 1080 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4264 wrote to memory of 1080 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4492 wrote to memory of 3328 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 3328 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 3328 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3328 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3328 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe

"C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe

"C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 36c7e83b-3312-4398-be89-e2f5b702fd8b.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server9.thestatsfiles.ru udp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.96:443 server9.thestatsfiles.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.96:443 server9.thestatsfiles.ru tcp

Files

memory/228-1-0x0000000004650000-0x0000000004A4D000-memory.dmp

memory/228-2-0x0000000004B90000-0x000000000547B000-memory.dmp

memory/228-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2576-5-0x000000007477E000-0x000000007477F000-memory.dmp

memory/228-4-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2576-6-0x0000000002560000-0x0000000002596000-memory.dmp

memory/2576-7-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/2576-8-0x0000000005120000-0x0000000005748000-memory.dmp

memory/2576-9-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

memory/2576-10-0x00000000057C0000-0x0000000005826000-memory.dmp

memory/2576-11-0x0000000005830000-0x0000000005896000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fauouxv0.irv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2576-21-0x0000000005A60000-0x0000000005DB4000-memory.dmp

memory/2576-22-0x0000000005E80000-0x0000000005E9E000-memory.dmp

memory/2576-23-0x0000000005ED0000-0x0000000005F1C000-memory.dmp

memory/2576-24-0x00000000063F0000-0x0000000006434000-memory.dmp

memory/2576-25-0x0000000007200000-0x0000000007276000-memory.dmp

memory/2576-26-0x0000000007900000-0x0000000007F7A000-memory.dmp

memory/2576-27-0x00000000071C0000-0x00000000071DA000-memory.dmp

memory/2576-29-0x0000000070610000-0x000000007065C000-memory.dmp

memory/2576-30-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/2576-28-0x0000000007400000-0x0000000007432000-memory.dmp

memory/2576-31-0x0000000070790000-0x0000000070AE4000-memory.dmp

memory/2576-41-0x0000000007440000-0x000000000745E000-memory.dmp

memory/2576-42-0x0000000007460000-0x0000000007503000-memory.dmp

memory/2576-43-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/2576-44-0x0000000007550000-0x000000000755A000-memory.dmp

memory/2576-45-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/2576-46-0x0000000007610000-0x00000000076A6000-memory.dmp

memory/2576-47-0x0000000007570000-0x0000000007581000-memory.dmp

memory/2576-48-0x00000000075B0000-0x00000000075BE000-memory.dmp

memory/2576-49-0x00000000075C0000-0x00000000075D4000-memory.dmp

memory/2576-50-0x00000000076B0000-0x00000000076CA000-memory.dmp

memory/2576-51-0x0000000007600000-0x0000000007608000-memory.dmp

memory/2576-54-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/228-56-0x0000000004650000-0x0000000004A4D000-memory.dmp

memory/228-57-0x0000000004B90000-0x000000000547B000-memory.dmp

memory/228-58-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/228-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4548-69-0x0000000005B10000-0x0000000005E64000-memory.dmp

memory/4548-70-0x0000000070610000-0x000000007065C000-memory.dmp

memory/4548-71-0x0000000070D90000-0x00000000710E4000-memory.dmp

memory/4548-81-0x0000000007360000-0x0000000007403000-memory.dmp

memory/4548-82-0x0000000007670000-0x0000000007681000-memory.dmp

memory/2256-83-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4548-84-0x00000000076C0000-0x00000000076D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2676-97-0x0000000005A20000-0x0000000005D74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ffc1a77433c48fecf0be70e5ee4d574e
SHA1 3adda850d05b2718f310d242b831b619238b4f36
SHA256 bffcf2b0d8fa6773c29b510870a9a3c8a29c63a34c9fafe50a5e491b3a48b45a
SHA512 77ddfede615440232ff332988ff74a49cc90ac7d4ee925f05f09505dbf70000c56826af78bfc7186a1e2e46339e637fb68a26a67d3dabf646754962f8cececef

memory/2676-101-0x00000000709E0000-0x0000000070D34000-memory.dmp

memory/2676-100-0x0000000070610000-0x000000007065C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 39b5c957b8630907c028ba0ce984b4b5
SHA1 1fbea1b0cee2a2c4c48883bb37cb06a9d0d89c20
SHA256 e114dba55cda923ac050ee4081d73874f1bb68328335a8fed4e3c5f3df1b4528
SHA512 c865a2cb170786034b392a20f245e2cdae9fcaac196e13d1fe95aa401364129d1d837c60c6737586114da717a84e7f0ef53258a2ba7146ec4266d13705ccb751

memory/4788-123-0x0000000070790000-0x0000000070AE4000-memory.dmp

memory/4788-122-0x0000000070610000-0x000000007065C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 db690b7d750acb89c3aa50559853c396
SHA1 2252d4286fce4849b03a9f803c2462fc69d9bc3a
SHA256 9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf
SHA512 e34612a80e3cfb18722cb6024e5847c455d12669b17ce15354abaa43f0d9487f628c956e5c496931a6ffd0e9f7bda470cfe527fab30d7ff344d1b2fc9b13b294

memory/2256-137-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c5a2f381c166d033a8de3ac3ea927774
SHA1 2d57158496ef50cefed665bf7e7b550993485e46
SHA256 277050732e062ebec27e7f221155885acf776c00a0c65549fb3e4d8648a07b6a
SHA512 30658b72eb44de2f6650e367b6a11e1d033e648d30df75ef235b5cc22720367110fc2ece6de73a478c27b57677e2a279d9e10dbb98d4d73301a58598b2e1208e

memory/4264-151-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4168-152-0x0000000070610000-0x000000007065C000-memory.dmp

memory/4168-153-0x0000000070790000-0x0000000070AE4000-memory.dmp

memory/5052-166-0x0000000005F90000-0x00000000062E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5458dadca9d6f65237a3b514a1cbb1b5
SHA1 c6a77f84eb26770a005ad58a3c9dadb1d7a92295
SHA256 c857a2b46fb78ad9887edd738669b67acc1c973f582a2ee5cfba49bb55f2cdf9
SHA512 4749c980c3140c74c244c4c83f9e52344146f12f2be7489d56fb19774004a8bbc2c4579d353e7d7fa421103bdaf48135a8c27da891adf02d7aa0b7d4446444c0

memory/5052-175-0x00000000066A0000-0x00000000066EC000-memory.dmp

memory/5052-176-0x0000000070530000-0x000000007057C000-memory.dmp

memory/5052-177-0x0000000070CC0000-0x0000000071014000-memory.dmp

memory/5052-187-0x0000000007870000-0x0000000007913000-memory.dmp

memory/5052-188-0x0000000007BF0000-0x0000000007C01000-memory.dmp

memory/5052-189-0x0000000006430000-0x0000000006444000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c89703fa898a98dfc225beee550726bc
SHA1 3979dd1afb3f82e7c4b135f845b84dfa46ad87c5
SHA256 dd1c706a1b7476eb9cec3fe124f6f83d48bd51f50a5cd55566ca0dc772a9011c
SHA512 2beb1596a7fa6b60673e6cb2f188caf375f590d3855e606ca375e1c3631746bf85052eee84f67463202aabe21b45ce71ce897dc28aa5817181ddbd9697d4bc87

memory/4484-202-0x0000000070530000-0x000000007057C000-memory.dmp

memory/4484-203-0x0000000070CC0000-0x0000000071014000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4264-219-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4492-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4908-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4492-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4264-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4908-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4264-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4264-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4908-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4264-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4264-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4264-244-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4264-247-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4264-251-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4264-254-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:34

Reported

2024-05-15 23:37

Platform

win11-20240508-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3644 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\system32\cmd.exe
PID 1164 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\system32\cmd.exe
PID 4996 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4996 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1164 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\rss\csrss.exe
PID 1164 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\rss\csrss.exe
PID 1164 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe C:\Windows\rss\csrss.exe
PID 3532 wrote to memory of 2716 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3532 wrote to memory of 2716 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3532 wrote to memory of 2716 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3532 wrote to memory of 3200 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3532 wrote to memory of 3200 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3532 wrote to memory of 3200 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3532 wrote to memory of 4048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3532 wrote to memory of 4048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3532 wrote to memory of 4048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3532 wrote to memory of 1004 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3532 wrote to memory of 1004 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3652 wrote to memory of 2536 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 2536 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 2536 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2536 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2536 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe

"C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe

"C:\Users\Admin\AppData\Local\Temp\9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 27502d23-17e9-4f51-858b-c4d5fc732c8d.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server12.thestatsfiles.ru udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp

Files

memory/3644-1-0x0000000004990000-0x0000000004D92000-memory.dmp

memory/3644-2-0x0000000004DA0000-0x000000000568B000-memory.dmp

memory/3644-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1228-4-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/1228-5-0x0000000002E20000-0x0000000002E56000-memory.dmp

memory/1228-6-0x0000000074D90000-0x0000000075541000-memory.dmp

memory/1228-7-0x0000000005580000-0x0000000005BAA000-memory.dmp

memory/1228-9-0x0000000005C60000-0x0000000005CC6000-memory.dmp

memory/1228-8-0x0000000005460000-0x0000000005482000-memory.dmp

memory/1228-10-0x0000000005CD0000-0x0000000005D36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jo0eigum.20n.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1228-20-0x0000000005E40000-0x0000000006197000-memory.dmp

memory/1228-19-0x0000000074D90000-0x0000000075541000-memory.dmp

memory/1228-21-0x0000000006300000-0x000000000631E000-memory.dmp

memory/1228-22-0x0000000006390000-0x00000000063DC000-memory.dmp

memory/1228-23-0x0000000006860000-0x00000000068A6000-memory.dmp

memory/1228-26-0x0000000071000000-0x000000007104C000-memory.dmp

memory/1228-36-0x0000000007760000-0x000000000777E000-memory.dmp

memory/1228-27-0x0000000071250000-0x00000000715A7000-memory.dmp

memory/1228-25-0x0000000007720000-0x0000000007754000-memory.dmp

memory/1228-37-0x0000000007780000-0x0000000007824000-memory.dmp

memory/1228-38-0x0000000074D90000-0x0000000075541000-memory.dmp

memory/3644-24-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1228-39-0x0000000074D90000-0x0000000075541000-memory.dmp

memory/1228-41-0x00000000078B0000-0x00000000078CA000-memory.dmp

memory/1228-40-0x0000000007EF0000-0x000000000856A000-memory.dmp

memory/1228-42-0x00000000078F0000-0x00000000078FA000-memory.dmp

memory/1228-43-0x0000000007A00000-0x0000000007A96000-memory.dmp

memory/1228-44-0x0000000007920000-0x0000000007931000-memory.dmp

memory/1228-45-0x0000000007960000-0x000000000796E000-memory.dmp

memory/1228-46-0x0000000007970000-0x0000000007985000-memory.dmp

memory/1228-47-0x00000000079C0000-0x00000000079DA000-memory.dmp

memory/1228-48-0x00000000079E0000-0x00000000079E8000-memory.dmp

memory/1228-51-0x0000000074D90000-0x0000000075541000-memory.dmp

memory/3644-55-0x0000000004DA0000-0x000000000568B000-memory.dmp

memory/3644-54-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3644-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4264-64-0x0000000006370000-0x00000000066C7000-memory.dmp

memory/4264-65-0x0000000006850000-0x000000000689C000-memory.dmp

memory/4264-66-0x0000000071110000-0x000000007115C000-memory.dmp

memory/4264-67-0x00000000712B0000-0x0000000071607000-memory.dmp

memory/4264-76-0x00000000079E0000-0x0000000007A84000-memory.dmp

memory/4264-78-0x0000000007D00000-0x0000000007D11000-memory.dmp

memory/1164-77-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4264-79-0x0000000007D50000-0x0000000007D65000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5c87fe99a33f4005c4c3a1533903dec2
SHA1 7807ec9eb972349345d0c60fd55bdb26b1d99bc9
SHA256 84532ac44d4a24ba051a6856d5af481ce382b0cb327a664ec87d5ce4d6091e84
SHA512 fdcd215e7845d0e37983e5e3ea9a4892624841ffa31377778836db2f47cd227c87e90f42ce069a39cd9500de84e516cf097d25dbedc716b23887f18615ffb6d4

memory/4408-92-0x0000000071110000-0x000000007115C000-memory.dmp

memory/4408-93-0x00000000712B0000-0x0000000071607000-memory.dmp

memory/2464-103-0x0000000005D20000-0x0000000006077000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 643738b651cdfe8ce48b56e1c342952c
SHA1 d436515adfec1377a782dc4ce1d172e0e7fdc794
SHA256 c414263b394f9d4413c01b697adf922587a7dabdbb11578411ae52ba47f87476
SHA512 de7eefe7a49da997aa52e98b7c42296c57442659f0a5f54ed4ddc4bd4287e76b3d25743e691197cd6170733138731d3b0107a2918b8643c320aa294fb42a683c

memory/2464-113-0x0000000071110000-0x000000007115C000-memory.dmp

memory/2464-114-0x0000000071360000-0x00000000716B7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 db690b7d750acb89c3aa50559853c396
SHA1 2252d4286fce4849b03a9f803c2462fc69d9bc3a
SHA256 9532bef0764b3b6e1cbc8c6bf0f24e6eecefa853e3bae21917e9c3076eeb74bf
SHA512 e34612a80e3cfb18722cb6024e5847c455d12669b17ce15354abaa43f0d9487f628c956e5c496931a6ffd0e9f7bda470cfe527fab30d7ff344d1b2fc9b13b294

memory/1164-127-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2716-138-0x0000000005EF0000-0x0000000006247000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 482241910ae23d7b18832798f87b2d6c
SHA1 c247e6f44b1dd2583bf8fbc05b167d4f916d7724
SHA256 98b2149428d3ec59dbbc20c53587d87ff25c09e670380dcb0c4df1d35a5dedb6
SHA512 299bd104f7024db19adfbe51607bf781470457eb4ff2ca8e2e5541e440ca98c333f65eac1c619268516e10b7b9bcc56dafb8f5416f6a9e2b59a01bd8c96e4602

memory/2716-140-0x00000000064A0000-0x00000000064EC000-memory.dmp

memory/2716-141-0x0000000071070000-0x00000000710BC000-memory.dmp

memory/2716-142-0x00000000712C0000-0x0000000071617000-memory.dmp

memory/2716-151-0x00000000076C0000-0x0000000007764000-memory.dmp

memory/2716-152-0x0000000007A50000-0x0000000007A61000-memory.dmp

memory/2716-153-0x0000000006270000-0x0000000006285000-memory.dmp

memory/3200-163-0x0000000006190000-0x00000000064E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0fdb4d2c11a2b4f65b488101c52b8e31
SHA1 a89e5c522591c65ca346a4303a16ec904cd3ff7e
SHA256 e73c27e1e2766f9470251126630eeb73a84067b1b07394ca0e15254b0ca6b0dc
SHA512 204c9159dae9334c32a5925db7b5eb1391a20790449b86f62704afd7436f0fbe5aebcb2b3a3ef1764ac585b6d76615b56fed7bc9a4919b2135e5a56b02777d3e

memory/3200-165-0x0000000006750000-0x000000000679C000-memory.dmp

memory/3200-166-0x0000000070F90000-0x0000000070FDC000-memory.dmp

memory/3200-167-0x00000000711A0000-0x00000000714F7000-memory.dmp

memory/3200-176-0x00000000079A0000-0x0000000007A44000-memory.dmp

memory/3200-177-0x0000000007D20000-0x0000000007D31000-memory.dmp

memory/3200-178-0x0000000006510000-0x0000000006525000-memory.dmp

memory/4048-180-0x00000000062F0000-0x0000000006647000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e577a66c88e5cbf427f18ea996281282
SHA1 4734a754b636aee50d589862f13e0fd524087616
SHA256 60d3835ff280ffd602572f8643dc9799629ec2b4edc639d81295f59cb3227955
SHA512 4bded07a4ed6964c92eb373b1bc81d248a42e31874d36d67003d07758bbf35716c74462be12528dc56caa56b9ed9c0729b101f3e68679cc584ef13e14b8da8ce

memory/4048-190-0x0000000070F90000-0x0000000070FDC000-memory.dmp

memory/4048-191-0x00000000711E0000-0x0000000071537000-memory.dmp

memory/3532-200-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3652-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3532-210-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4860-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3652-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3532-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4860-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3532-219-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3532-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4860-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3532-223-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3532-225-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3532-227-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3532-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3532-231-0x0000000000400000-0x0000000002B0B000-memory.dmp