Malware Analysis Report

2025-01-02 06:40

Sample ID 240515-swwphsff9w
Target c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e
SHA256 c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e

Threat Level: Known bad

The file c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 15:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 15:29

Reported

2024-05-15 15:31

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\system32\cmd.exe
PID 2316 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\system32\cmd.exe
PID 4120 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4120 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2316 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\rss\csrss.exe
PID 2316 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\rss\csrss.exe
PID 2316 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\rss\csrss.exe
PID 4364 wrote to memory of 4072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 4072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 4072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 1528 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 1528 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 1528 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 2600 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4364 wrote to memory of 2600 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2548 wrote to memory of 2424 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2424 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2424 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2424 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2424 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe

"C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe

"C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.161:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 161.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.161:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 88c3f05f-8f12-411f-8d51-6724e10ea5c4.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server16.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.108:443 server16.databaseupgrade.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server16.databaseupgrade.ru tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.108:443 server16.databaseupgrade.ru tcp

Files

memory/2772-1-0x0000000004790000-0x0000000004B8A000-memory.dmp

memory/2772-2-0x0000000004B90000-0x000000000547B000-memory.dmp

memory/2772-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3784-4-0x00000000746AE000-0x00000000746AF000-memory.dmp

memory/3784-5-0x0000000002A50000-0x0000000002A86000-memory.dmp

memory/3784-7-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/3784-6-0x0000000005200000-0x0000000005828000-memory.dmp

memory/3784-8-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/3784-9-0x0000000005830000-0x0000000005852000-memory.dmp

memory/3784-10-0x0000000005920000-0x0000000005986000-memory.dmp

memory/3784-11-0x0000000005A00000-0x0000000005A66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wgadhseg.hmx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3784-17-0x0000000005A70000-0x0000000005DC4000-memory.dmp

memory/3784-22-0x0000000006030000-0x000000000604E000-memory.dmp

memory/3784-23-0x00000000060D0000-0x000000000611C000-memory.dmp

memory/3784-24-0x00000000065F0000-0x0000000006634000-memory.dmp

memory/3784-25-0x0000000007350000-0x00000000073C6000-memory.dmp

memory/3784-26-0x0000000007A50000-0x00000000080CA000-memory.dmp

memory/3784-27-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/2772-28-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3784-41-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/3784-42-0x00000000075F0000-0x000000000760E000-memory.dmp

memory/3784-31-0x0000000070C80000-0x0000000070FD4000-memory.dmp

memory/3784-30-0x0000000070540000-0x000000007058C000-memory.dmp

memory/3784-43-0x0000000007610000-0x00000000076B3000-memory.dmp

memory/3784-29-0x00000000075B0000-0x00000000075E2000-memory.dmp

memory/3784-44-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/3784-45-0x0000000007700000-0x000000000770A000-memory.dmp

memory/3784-46-0x00000000077C0000-0x0000000007856000-memory.dmp

memory/3784-47-0x0000000007720000-0x0000000007731000-memory.dmp

memory/3784-48-0x0000000007760000-0x000000000776E000-memory.dmp

memory/3784-49-0x0000000007770000-0x0000000007784000-memory.dmp

memory/3784-50-0x0000000007860000-0x000000000787A000-memory.dmp

memory/3784-51-0x00000000077A0000-0x00000000077A8000-memory.dmp

memory/3784-54-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/2772-57-0x0000000004B90000-0x000000000547B000-memory.dmp

memory/2772-58-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2772-55-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2244-60-0x0000000005D80000-0x00000000060D4000-memory.dmp

memory/2316-59-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2244-70-0x0000000006460000-0x00000000064AC000-memory.dmp

memory/2244-71-0x0000000070640000-0x000000007068C000-memory.dmp

memory/2244-72-0x0000000070DE0000-0x0000000071134000-memory.dmp

memory/2244-82-0x00000000075C0000-0x0000000007663000-memory.dmp

memory/2244-83-0x0000000007900000-0x0000000007911000-memory.dmp

memory/2244-84-0x0000000007950000-0x0000000007964000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4820-97-0x00000000057A0000-0x0000000005AF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d84788fa0377f1131348d4fad8749aa4
SHA1 86bd8ac43e4839cc874735c11e3fad0248a272ca
SHA256 5848c03b34f8803da0931047494ab83c4711898ec2d8e1d73022344c5ddfeb86
SHA512 7c11fde35a39ee64a9816c3c7c1927ca8e73a53af0dbc788ee48d8e2a070eb4f69a6cbdb27fd82a6d4fb6d9d9c95d388840792be2f8175edec4bf0541b8eacf4

memory/4820-99-0x0000000070640000-0x000000007068C000-memory.dmp

memory/4820-100-0x00000000707C0000-0x0000000070B14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b9e33bfb93acc681e9a1bfa1e0d26c6d
SHA1 efad643608c65b160ce156e8536f2dfd96dd4b39
SHA256 d010cbca44742547400147e48ca34cb94f0d2e66ca040d691f86f78891755678
SHA512 70174aec2656b7fe0056209856bf38a499cb60c498abb58ef035fdf0a6a4b99c9e17e3a3c9da065c31c49821e338329ee69d817c6a92cffe0e9f2c78d1cdda4c

memory/1772-122-0x0000000070DE0000-0x0000000071134000-memory.dmp

memory/1772-121-0x0000000070640000-0x000000007068C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 cf0a4b93973ffe9b6276de5e351f426d
SHA1 45d8e2501728dd1a0ce7b3f5dc7520b7eb3db257
SHA256 c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e
SHA512 7aacb86c41ed6594646b5d946302011f8fa60eaf562d6f776df46051b5368b2eb8589be7cca7a005075cfafa59345a1cb3d2720ec015115d7f515e20a5ba963f

memory/2316-138-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4072-148-0x00000000061D0000-0x0000000006524000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a5d465cba96750521195bcc9ed59a42f
SHA1 2865fc7aed589e31d8fc4ba48bb975eff60c4cb0
SHA256 008542f6bb09d9c16c204ac1d97be857b1d679486d1bcdd93c5b31c670365b84
SHA512 2d30ada0b931efda9b6a70055de0a1958957e7c7b67fd9ba8e2bbefd2e2a548bf047db225940ab47b047a029c083548db02eb758d74e624ff54ecdc8757ef0dc

memory/4072-150-0x00000000067D0000-0x000000000681C000-memory.dmp

memory/4072-151-0x00000000705A0000-0x00000000705EC000-memory.dmp

memory/4072-152-0x0000000070720000-0x0000000070A74000-memory.dmp

memory/4072-162-0x0000000007880000-0x0000000007923000-memory.dmp

memory/4072-163-0x0000000007B90000-0x0000000007BA1000-memory.dmp

memory/4072-164-0x00000000060C0000-0x00000000060D4000-memory.dmp

memory/4364-166-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1528-177-0x0000000005DA0000-0x00000000060F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6a4f0b2eb139b567c93f80a4af26cb5e
SHA1 06ad26d00b39fdb35df28a9c13573ea13e538782
SHA256 f969ad8c9c08d5b2d83879e859ef849a63f8db4c46fd0eb03c7b1f509e7513f2
SHA512 53d99dc29559b7b7db5c640804daffd6dd66a6ecdbef7904b6dd55debf295a84f1c00b4bd73d1f3f86a7eb134ab1d8c5f0935d6e0d90471b57eb2baf3c8fdebc

memory/1528-179-0x0000000006530000-0x000000000657C000-memory.dmp

memory/1528-180-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/1528-181-0x0000000070660000-0x00000000709B4000-memory.dmp

memory/1528-191-0x00000000074B0000-0x0000000007553000-memory.dmp

memory/1528-192-0x0000000007800000-0x0000000007811000-memory.dmp

memory/1528-193-0x0000000005CA0000-0x0000000005CB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 41624277dfc858d7e154dbeee78091d6
SHA1 603822a841d0d5f33d737654ebaee8522249fe9f
SHA256 d59e9ab5488aa1a1a9df76ed957dd1ee9121bf3cec1d322e07cfcc96e525ae86
SHA512 90d1fd7a2c8d2ae3690aeabd671916398b734d2b5690c41a799c06a319341bb4ff6b5e1066441c4cb7ea09148d88a55fa0655530ac627826010c394c9092ae71

memory/3736-205-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/3736-206-0x0000000070660000-0x00000000709B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4364-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2548-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4696-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2548-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4364-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4696-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4364-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4364-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4696-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4364-243-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4364-246-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4364-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4364-252-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4364-255-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4364-257-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 15:29

Reported

2024-05-15 15:31

Platform

win11-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\system32\cmd.exe
PID 4920 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1468 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4920 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\rss\csrss.exe
PID 4920 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\rss\csrss.exe
PID 4920 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe C:\Windows\rss\csrss.exe
PID 1292 wrote to memory of 4420 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 4420 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 4420 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 3600 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 3600 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 3600 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 3040 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1292 wrote to memory of 3040 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3940 wrote to memory of 1792 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 1792 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 1792 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1792 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1792 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe

"C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe

"C:\Users\Admin\AppData\Local\Temp\c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 c5ef5be8-a2bf-437d-893e-83e8978fb7d3.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 server6.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp

Files

memory/2420-1-0x0000000004940000-0x0000000004D48000-memory.dmp

memory/2420-2-0x0000000004D50000-0x000000000563B000-memory.dmp

memory/2420-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3204-4-0x00000000749AE000-0x00000000749AF000-memory.dmp

memory/3204-5-0x0000000005460000-0x0000000005496000-memory.dmp

memory/3204-6-0x0000000005B00000-0x000000000612A000-memory.dmp

memory/3204-7-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/3204-8-0x0000000006190000-0x00000000061B2000-memory.dmp

memory/3204-9-0x0000000006330000-0x0000000006396000-memory.dmp

memory/3204-10-0x00000000063A0000-0x0000000006406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tzmll3hw.w42.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3204-20-0x0000000006410000-0x0000000006767000-memory.dmp

memory/3204-19-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/3204-21-0x00000000068F0000-0x000000000690E000-memory.dmp

memory/3204-22-0x0000000006930000-0x000000000697C000-memory.dmp

memory/3204-23-0x0000000006E70000-0x0000000006EB6000-memory.dmp

memory/3204-25-0x0000000007D00000-0x0000000007D34000-memory.dmp

memory/3204-26-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/3204-27-0x0000000070E20000-0x0000000071177000-memory.dmp

memory/3204-37-0x0000000007D80000-0x0000000007E24000-memory.dmp

memory/3204-36-0x0000000007D60000-0x0000000007D7E000-memory.dmp

memory/3204-38-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/2420-24-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3204-39-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/3204-41-0x0000000007EB0000-0x0000000007ECA000-memory.dmp

memory/3204-40-0x00000000084F0000-0x0000000008B6A000-memory.dmp

memory/3204-42-0x0000000007EF0000-0x0000000007EFA000-memory.dmp

memory/3204-43-0x0000000008000000-0x0000000008096000-memory.dmp

memory/3204-44-0x0000000007F10000-0x0000000007F21000-memory.dmp

memory/3204-45-0x0000000007F60000-0x0000000007F6E000-memory.dmp

memory/3204-46-0x0000000007F70000-0x0000000007F85000-memory.dmp

memory/3204-47-0x0000000007FC0000-0x0000000007FDA000-memory.dmp

memory/3204-48-0x0000000007FE0000-0x0000000007FE8000-memory.dmp

memory/3204-51-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/2420-53-0x0000000004940000-0x0000000004D48000-memory.dmp

memory/2420-54-0x0000000004D50000-0x000000000563B000-memory.dmp

memory/2420-55-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2420-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3056-65-0x0000000005AA0000-0x0000000005DF7000-memory.dmp

memory/3056-66-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/3056-67-0x0000000070E60000-0x00000000711B7000-memory.dmp

memory/3056-76-0x00000000071A0000-0x0000000007244000-memory.dmp

memory/3056-77-0x0000000007490000-0x00000000074A1000-memory.dmp

memory/3056-78-0x00000000074E0000-0x00000000074F5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/1436-90-0x0000000005DE0000-0x0000000006137000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 804c85bc7bb42ae1347650f59dc8eb3e
SHA1 3245a30647129ed538496d03d90e81151fe70be7
SHA256 cf6d2f36538ed3f25f19019d5e49273c166c9c08aada6c7f69ca98cc46efb198
SHA512 e09149ba626869c3a750cc365d78a50532a4235348f8ee76c326f63cf4375abb15e8f3a12ef6d386ab29de704f93510300175bd9a77ed476b2189e17bb53335f

memory/1436-93-0x0000000070D90000-0x00000000710E7000-memory.dmp

memory/1436-92-0x0000000070C10000-0x0000000070C5C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 103474969eed7b8021b3ea4cde5564d3
SHA1 07cbe4cf5fecc32ea3e85f92e8ea6cdeca9c80ff
SHA256 d5187778d9cad03913c8a3aca0cf2ddf711a93b81a063413a92294d923562a74
SHA512 05fd95fe1d03ca71d7a3a6514ff336f4b53b9a005043d91543ce53115975359ba6687a560713014cfd74629f4c7fc53d79121d2e4d8136e005beb4aa536113cb

memory/4916-113-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/4916-114-0x0000000070E20000-0x0000000071177000-memory.dmp

memory/4920-123-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 cf0a4b93973ffe9b6276de5e351f426d
SHA1 45d8e2501728dd1a0ce7b3f5dc7520b7eb3db257
SHA256 c8bf4eb6de6fe25752c543fbf01b7850798573a531cba7b7c391bebbde41f37e
SHA512 7aacb86c41ed6594646b5d946302011f8fa60eaf562d6f776df46051b5368b2eb8589be7cca7a005075cfafa59345a1cb3d2720ec015115d7f515e20a5ba963f

memory/4920-128-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 af860c5c01c03588ec0c4d59d36dd78c
SHA1 67da667851b187b797657623573d487b79e128c1
SHA256 be9882fae34d41c4d28ea15a1175e99d9cbed852f4360f12b2540137f4802cd1
SHA512 4cc1142af76f67f1fbf4aef40d5e74d788f39c902289832e731e5ffab7f6cc2ddec66754375232af0c05f1bb3f4cd14b547b29d95e749280e5fbbea270484c59

memory/4420-141-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/4420-142-0x0000000070D90000-0x00000000710E7000-memory.dmp

memory/3600-152-0x0000000005DF0000-0x0000000006147000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3a55a7cff22d7ef589762cf9eb8e878e
SHA1 7b9e458d58c3b50d0e95d32f702a81a9cca3fc2e
SHA256 08c79255d431e9320dde6fadfc8ac8086bafc95a70ec888713402c72663846dd
SHA512 1f1889160aee1851c1e99d2a7838a02046006cc1b0a7145f712464bd974588ae7f2f3103a9af00e4edcfa96b0adf382b1951ed27b3041bd79b5157939f7ad3cc

memory/3600-162-0x00000000063C0000-0x000000000640C000-memory.dmp

memory/3600-163-0x0000000070B30000-0x0000000070B7C000-memory.dmp

memory/3600-164-0x0000000070D80000-0x00000000710D7000-memory.dmp

memory/3600-173-0x00000000075E0000-0x0000000007684000-memory.dmp

memory/3600-174-0x0000000007930000-0x0000000007941000-memory.dmp

memory/3600-176-0x0000000006170000-0x0000000006185000-memory.dmp

memory/948-186-0x0000000005730000-0x0000000005A87000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e9be77bcaf219c1c27cf164b171b6b96
SHA1 cbdcc6ca80d6b6d75f95732888c1d61e76206545
SHA256 cd826aff00ececd0a964c625dbf725840e9a2de6db029396b8a16010eb33d104
SHA512 2dec0d8bdd4cfe744d05ace3bd7be6726a16036c3cc7a1a498e541545e0b0c9a9e4f133f47440a9a071e9bf815c82f759ef6f5b9eb533e56d89f374df9720fcc

memory/948-189-0x0000000070CB0000-0x0000000071007000-memory.dmp

memory/948-188-0x0000000070B30000-0x0000000070B7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1292-204-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3940-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2740-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1292-212-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3940-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2740-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1292-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1292-220-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2740-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1292-223-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1292-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1292-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1292-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1292-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1292-238-0x0000000000400000-0x0000000002B0B000-memory.dmp