Malware Analysis Report

2025-01-02 06:32

Sample ID 240515-xv8d5sfc71
Target c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883
SHA256 c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883

Threat Level: Known bad

The file c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 19:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 19:11

Reported

2024-05-15 19:14

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\system32\cmd.exe
PID 676 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\system32\cmd.exe
PID 3804 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3804 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 676 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\rss\csrss.exe
PID 676 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\rss\csrss.exe
PID 676 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\rss\csrss.exe
PID 5048 wrote to memory of 2928 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 2928 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 2928 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 4992 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 4992 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 4992 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 3880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 3880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 3880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 2152 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5048 wrote to memory of 2152 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4712 wrote to memory of 4328 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4328 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4328 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4328 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4328 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe

"C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe

"C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.152:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 152.196.17.2.in-addr.arpa udp
BE 2.17.196.129:443 www.bing.com tcp
US 8.8.8.8:53 129.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 428e7118-bfd5-4a4d-ae1f-0e31d79c6134.uuid.realupdate.ru udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server11.realupdate.ru udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server11.realupdate.ru tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BG 185.82.216.96:443 server11.realupdate.ru tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.96:443 server11.realupdate.ru tcp

Files

memory/4556-1-0x0000000004890000-0x0000000004C97000-memory.dmp

memory/4556-2-0x0000000004CA0000-0x000000000558B000-memory.dmp

memory/4556-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2748-5-0x00000000748AE000-0x00000000748AF000-memory.dmp

memory/2748-6-0x00000000022E0000-0x0000000002316000-memory.dmp

memory/2748-7-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/4556-4-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2748-8-0x0000000004F50000-0x0000000005578000-memory.dmp

memory/2748-9-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/2748-10-0x0000000004D60000-0x0000000004D82000-memory.dmp

memory/2748-11-0x0000000005580000-0x00000000055E6000-memory.dmp

memory/2748-12-0x00000000055F0000-0x0000000005656000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c1yaip2b.uc3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2748-18-0x0000000005660000-0x00000000059B4000-memory.dmp

memory/2748-23-0x0000000005C10000-0x0000000005C2E000-memory.dmp

memory/2748-24-0x0000000005C40000-0x0000000005C8C000-memory.dmp

memory/2748-25-0x0000000006170000-0x00000000061B4000-memory.dmp

memory/2748-26-0x0000000006F40000-0x0000000006FB6000-memory.dmp

memory/2748-27-0x0000000007640000-0x0000000007CBA000-memory.dmp

memory/2748-28-0x0000000006FE0000-0x0000000006FFA000-memory.dmp

memory/2748-29-0x0000000007190000-0x00000000071C2000-memory.dmp

memory/2748-30-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/2748-32-0x0000000070EE0000-0x0000000071234000-memory.dmp

memory/2748-31-0x0000000070740000-0x000000007078C000-memory.dmp

memory/2748-43-0x00000000071F0000-0x0000000007293000-memory.dmp

memory/2748-42-0x00000000071D0000-0x00000000071EE000-memory.dmp

memory/2748-44-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/2748-45-0x00000000072E0000-0x00000000072EA000-memory.dmp

memory/2748-46-0x00000000073A0000-0x0000000007436000-memory.dmp

memory/2748-47-0x0000000007300000-0x0000000007311000-memory.dmp

memory/2748-48-0x0000000007340000-0x000000000734E000-memory.dmp

memory/2748-49-0x0000000007350000-0x0000000007364000-memory.dmp

memory/2748-50-0x0000000007440000-0x000000000745A000-memory.dmp

memory/2748-51-0x0000000007380000-0x0000000007388000-memory.dmp

memory/2748-54-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/4556-57-0x0000000004890000-0x0000000004C97000-memory.dmp

memory/4556-56-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4556-58-0x0000000004CA0000-0x000000000558B000-memory.dmp

memory/4556-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4424-69-0x0000000005850000-0x0000000005BA4000-memory.dmp

memory/4424-70-0x0000000070740000-0x000000007078C000-memory.dmp

memory/4424-71-0x00000000708C0000-0x0000000070C14000-memory.dmp

memory/4424-81-0x0000000006E20000-0x0000000006EC3000-memory.dmp

memory/676-82-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4424-83-0x0000000007150000-0x0000000007161000-memory.dmp

memory/4424-84-0x00000000071A0000-0x00000000071B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1852-93-0x0000000005590000-0x00000000058E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 aa6e3daa8c41bd91ff2d0c4e09e3580d
SHA1 e118e1f62e83a6481edf5d4c0963ed64580fe5ea
SHA256 dc340497729653dcdb990e6076d1f092ee2ac72363fb9174192a7064132f1990
SHA512 18b5a1bbdb54b074c19968eb5ee3b1f879a0fb44cdf719883069107ad9f520a5f41836c8f3a2c2fbcc68e0438b3da56638719c5e0423891c517e2380bac2eefd

memory/1852-100-0x0000000070740000-0x000000007078C000-memory.dmp

memory/1852-101-0x0000000070EC0000-0x0000000071214000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b13e4e3345413d92584e1787b92b4934
SHA1 4fc5e75e880b24e13c5f1f74aad7bb667dc02709
SHA256 f6580e8402ec831ac1dc99073cbfdffb54e8d808810f9ea2095ae6a92f098684
SHA512 0c3ca7aac74818c1c9db88b389e4add475d946e1687c45aff65a8aa784627ec4dd25d35268a0ca2d3384a004d3478796d970ec3b677c10109582c636174ef4eb

memory/2656-122-0x0000000070740000-0x000000007078C000-memory.dmp

memory/2656-123-0x00000000708C0000-0x0000000070C14000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c35bfcc4d6634570914e44084caf8815
SHA1 8d93d2609e171e9a8ce21471b1239120f2314bc5
SHA256 c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883
SHA512 81b40f086b56f03024c4a0e60cc0ccc3ad29aebeb4bb3d0eb973ddcceb95e8319af5643bee6c2204f7cfc6e54a8279e1d7323fcab9222cb27594d99af994f38d

memory/676-137-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5048-141-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2502787ec1105a93ab40cbec4f56dc26
SHA1 8f550c47bb27c8d89f171d8b950354b4100cbaf1
SHA256 dfbd8ea178a5dde3a36174b468e93b9e1cb1b202b59d8f90b75a01884b66d55d
SHA512 ad4fc7569d29c45b6c01d7f503d61c4ef87715830718de03ff1675abdfe2e8fda1d99d05f076482059231f5773f4d01bf1b7e8da0d30d72a44f39fc3d80dd516

memory/2928-152-0x0000000070740000-0x000000007078C000-memory.dmp

memory/2928-153-0x00000000708C0000-0x0000000070C14000-memory.dmp

memory/4992-174-0x00000000061B0000-0x0000000006504000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 686e0b51b301bbd0ca22b86a943a4546
SHA1 eb24f7c33f0157f5ce6f600aed0d61486ea882ba
SHA256 fe29227889571203e1fce3bfea33c377b8a4b6cbaf2c0d9bc41d9ce46bcb30a2
SHA512 ac55d11ce6d903ee91db39c3d63291c27a2f501a3e9ed2df6bec55716d2618e5eefa7c8ef3369628d869b51c8aeae5891a7fade05527f8a95a1b00a18755198f

memory/4992-176-0x0000000006760000-0x00000000067AC000-memory.dmp

memory/4992-177-0x0000000070660000-0x00000000706AC000-memory.dmp

memory/4992-178-0x00000000707F0000-0x0000000070B44000-memory.dmp

memory/4992-188-0x00000000079A0000-0x0000000007A43000-memory.dmp

memory/4992-189-0x0000000007CC0000-0x0000000007CD1000-memory.dmp

memory/4992-190-0x0000000006550000-0x0000000006564000-memory.dmp

memory/3880-201-0x0000000005E10000-0x0000000006164000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3c7b862823b373e6ad8475f63198b099
SHA1 f5e25f6fe3dc7495596b7a98dafd66a2c4dc1843
SHA256 f168723782c81200e82292eeb3734bd0af1d5704e9d605093141d30c009a8447
SHA512 f7172b4306a25107387807aeea8a44fed4aa7d8636c49759cc6c9f7d1208b27eb4a4ff76ea4d16620d63c826345f6368d51b14f49fd696fff422013f0f8cb7f3

memory/3880-204-0x0000000070660000-0x00000000706AC000-memory.dmp

memory/5048-203-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3880-205-0x0000000070800000-0x0000000070B54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/5048-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4712-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2352-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4712-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5048-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2352-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5048-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5048-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2352-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5048-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5048-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5048-248-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5048-251-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5048-254-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 19:11

Reported

2024-05-15 19:14

Platform

win11-20240508-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1788 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1788 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1788 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\system32\cmd.exe
PID 2964 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\system32\cmd.exe
PID 2848 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2848 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2964 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\rss\csrss.exe
PID 2964 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\rss\csrss.exe
PID 2964 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe C:\Windows\rss\csrss.exe
PID 4692 wrote to memory of 648 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 648 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 648 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 4852 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 4852 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 4852 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 4620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 4620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 4620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 408 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4692 wrote to memory of 408 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4016 wrote to memory of 4600 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 4600 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 4600 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4600 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4600 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe

"C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe

"C:\Users\Admin\AppData\Local\Temp\c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5ccbf6fb-efc2-46ab-b3d4-ffe8228dd32f.uuid.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server10.realupdate.ru udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server10.realupdate.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server10.realupdate.ru tcp
BG 185.82.216.96:443 server10.realupdate.ru tcp

Files

memory/1788-1-0x00000000048D0000-0x0000000004CCD000-memory.dmp

memory/1788-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1788-2-0x0000000004CD0000-0x00000000055BB000-memory.dmp

memory/2544-4-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/2544-5-0x0000000000F00000-0x0000000000F36000-memory.dmp

memory/2544-7-0x0000000005190000-0x00000000057BA000-memory.dmp

memory/2544-6-0x0000000074B10000-0x00000000752C1000-memory.dmp

memory/2544-8-0x0000000074B10000-0x00000000752C1000-memory.dmp

memory/2544-9-0x0000000005830000-0x0000000005852000-memory.dmp

memory/2544-10-0x00000000058D0000-0x0000000005936000-memory.dmp

memory/2544-11-0x00000000059B0000-0x0000000005A16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dvqntatl.4v1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2544-20-0x0000000005A20000-0x0000000005D77000-memory.dmp

memory/2544-21-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

memory/2544-22-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

memory/2544-23-0x0000000006410000-0x0000000006456000-memory.dmp

memory/2544-26-0x0000000070D80000-0x0000000070DCC000-memory.dmp

memory/2544-27-0x0000000070F00000-0x0000000071257000-memory.dmp

memory/2544-37-0x0000000007340000-0x00000000073E4000-memory.dmp

memory/2544-36-0x0000000007320000-0x000000000733E000-memory.dmp

memory/2544-25-0x00000000072C0000-0x00000000072F4000-memory.dmp

memory/2544-38-0x0000000074B10000-0x00000000752C1000-memory.dmp

memory/1788-24-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2544-39-0x0000000074B10000-0x00000000752C1000-memory.dmp

memory/2544-41-0x0000000007460000-0x000000000747A000-memory.dmp

memory/2544-40-0x0000000007AB0000-0x000000000812A000-memory.dmp

memory/2544-42-0x00000000074A0000-0x00000000074AA000-memory.dmp

memory/2544-43-0x0000000007560000-0x00000000075F6000-memory.dmp

memory/2544-44-0x00000000074D0000-0x00000000074E1000-memory.dmp

memory/2544-45-0x0000000007510000-0x000000000751E000-memory.dmp

memory/2544-46-0x0000000007520000-0x0000000007535000-memory.dmp

memory/2544-47-0x0000000007620000-0x000000000763A000-memory.dmp

memory/2544-48-0x0000000007640000-0x0000000007648000-memory.dmp

memory/2544-51-0x0000000074B10000-0x00000000752C1000-memory.dmp

memory/1788-53-0x00000000048D0000-0x0000000004CCD000-memory.dmp

memory/1788-54-0x0000000004CD0000-0x00000000055BB000-memory.dmp

memory/1788-55-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5008-64-0x0000000005FA0000-0x00000000062F7000-memory.dmp

memory/1788-65-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5008-66-0x0000000070D80000-0x0000000070DCC000-memory.dmp

memory/5008-67-0x0000000070FD0000-0x0000000071327000-memory.dmp

memory/5008-76-0x00000000076D0000-0x0000000007774000-memory.dmp

memory/5008-77-0x00000000079F0000-0x0000000007A01000-memory.dmp

memory/5008-78-0x0000000007A40000-0x0000000007A55000-memory.dmp

memory/2964-81-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d92b90aa8c19289ca296db722c84b2de
SHA1 5699ca51b6f5118c19a128c4aca925b672ad54e8
SHA256 f1067d31a9cb50d3b7ed9b2d1ddee0613c468cf9e9a75227fc62c594228da8df
SHA512 b70378c21356986635aee156f57fd7130d7d5ea62d104e07adbbb356ffa8f7460ecfdfa351b5a1c0b4192dfbb737d9653d7a8fcfb055b5741dc0fe00278dc6a4

memory/1180-92-0x0000000070D80000-0x0000000070DCC000-memory.dmp

memory/1180-93-0x0000000070F00000-0x0000000071257000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 86b62ca445a88ba2ec3a6eb3cb942630
SHA1 dcc051597a9256a88fca2910cca615fb20d14a5f
SHA256 e945f19108ac779ce486efaaa902118ae2c405bdae6b8885ce97e56ea25c6c40
SHA512 25602b2615d12365f3c5182207bc3671f1c1a4a06e6594512d8ce1e369e4255e33027bbd8330eb363ab5acdcee9ef1560250833304a9ea70b5f53f74875803c6

memory/4608-113-0x0000000070D80000-0x0000000070DCC000-memory.dmp

memory/4608-114-0x0000000070FD0000-0x0000000071327000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c35bfcc4d6634570914e44084caf8815
SHA1 8d93d2609e171e9a8ce21471b1239120f2314bc5
SHA256 c805909ab8b34f038e94b62eb0fde545f1442e55c454bd9834b831d12a115883
SHA512 81b40f086b56f03024c4a0e60cc0ccc3ad29aebeb4bb3d0eb973ddcceb95e8319af5643bee6c2204f7cfc6e54a8279e1d7323fcab9222cb27594d99af994f38d

memory/2964-127-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4692-139-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 44ec382908667cabce19ca2599f26fcf
SHA1 f4cbbb62ed6fce702c9022802a2e4677eeef22a1
SHA256 68eb95ff8ba0bcb83220a88fff3bf4c9b2e55bc95ba5fc2203ddd2c80b1977f4
SHA512 367d3e81a3ad1382a7865d74be1d2d0b88fcc345c34e68fee2ae45d7890d72289dc9df88d664b9eb7aee093d4082a2b9b9a0015a744dc4cd9b8ba5676f6cb9dd

memory/648-141-0x0000000070D80000-0x0000000070DCC000-memory.dmp

memory/648-142-0x0000000070F00000-0x0000000071257000-memory.dmp

memory/4852-160-0x0000000005A60000-0x0000000005DB7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 77cb015261519e11db5fb23e70756632
SHA1 00629d6d8e59ead23638dc7fabf399f9a339b5d9
SHA256 a7c24442e0526f909077e03558aaa8f6d57bb247fcbc45166c9862a4596671e4
SHA512 89c4d92b66f14fed57e856f4a60ba3bac5c35173dc2469acc12d5950f259e0fbda1eff84f51de0864b2ea9d848d0795a181ca93e169555ebb1b0447973005baf

memory/4852-162-0x0000000006590000-0x00000000065DC000-memory.dmp

memory/4852-163-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/4852-164-0x0000000070EF0000-0x0000000071247000-memory.dmp

memory/4852-173-0x0000000007290000-0x0000000007334000-memory.dmp

memory/4852-174-0x0000000005DF0000-0x0000000005E01000-memory.dmp

memory/4852-175-0x0000000005E30000-0x0000000005E45000-memory.dmp

memory/4620-186-0x0000000005CE0000-0x0000000006037000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c45de6d302c31b915603ed9632545041
SHA1 3287b8fab712dc958ae3560e9a602339842a5e3c
SHA256 d0438572f489b1b49ff4c6d88fa25de7144a634ea1a15dcf093b6dec475a266b
SHA512 59fc4d914a5ad6c29f72bf4a1c0c4904df126f9405dc60436671267b7a683637558778200f6ce54ac09c657b11abbed7ebde94949a8718e98ff8bf29b3e3b045

memory/4620-188-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/4620-189-0x0000000070E40000-0x0000000071197000-memory.dmp

memory/4692-198-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4016-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4692-209-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3564-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4016-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3564-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4692-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4692-220-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4692-223-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3564-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4692-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4692-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4692-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4692-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4692-238-0x0000000000400000-0x0000000002B0B000-memory.dmp