Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-lsp91acc8x
Target cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91
SHA256 cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91

Threat Level: Known bad

The file cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 09:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 09:47

Reported

2024-05-17 09:50

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\system32\cmd.exe
PID 4616 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\system32\cmd.exe
PID 4684 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4684 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4616 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\rss\csrss.exe
PID 4616 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\rss\csrss.exe
PID 4616 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\rss\csrss.exe
PID 5112 wrote to memory of 3932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2160 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2160 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2160 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2140 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5112 wrote to memory of 2140 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3744 wrote to memory of 4380 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4380 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4380 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4380 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4380 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe

"C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe

"C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 563dcd8b-da4b-4cb9-b24a-984310a394e8.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server6.databaseupgrade.ru udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp

Files

memory/1420-1-0x0000000004850000-0x0000000004C52000-memory.dmp

memory/1420-2-0x0000000004C60000-0x000000000554B000-memory.dmp

memory/1420-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1836-4-0x00000000747DE000-0x00000000747DF000-memory.dmp

memory/1836-5-0x0000000004DF0000-0x0000000004E26000-memory.dmp

memory/1836-6-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/1836-8-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/1836-7-0x0000000005530000-0x0000000005B58000-memory.dmp

memory/1836-9-0x00000000053D0000-0x00000000053F2000-memory.dmp

memory/1836-10-0x0000000005480000-0x00000000054E6000-memory.dmp

memory/1836-11-0x0000000005BD0000-0x0000000005C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hljb0ldz.f0d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1836-21-0x0000000005D80000-0x00000000060D4000-memory.dmp

memory/1836-22-0x00000000063A0000-0x00000000063BE000-memory.dmp

memory/1836-23-0x00000000063E0000-0x000000000642C000-memory.dmp

memory/1836-24-0x0000000006910000-0x0000000006954000-memory.dmp

memory/1836-25-0x0000000007720000-0x0000000007796000-memory.dmp

memory/1836-26-0x0000000007E20000-0x000000000849A000-memory.dmp

memory/1836-27-0x00000000076E0000-0x00000000076FA000-memory.dmp

memory/1836-28-0x0000000007920000-0x0000000007952000-memory.dmp

memory/1836-31-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/1836-42-0x0000000007980000-0x0000000007A23000-memory.dmp

memory/1836-41-0x0000000007960000-0x000000000797E000-memory.dmp

memory/1836-43-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/1836-30-0x0000000070D70000-0x00000000710C4000-memory.dmp

memory/1836-29-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/1836-44-0x0000000007A70000-0x0000000007A7A000-memory.dmp

memory/1836-45-0x0000000007B30000-0x0000000007BC6000-memory.dmp

memory/1836-46-0x0000000007A90000-0x0000000007AA1000-memory.dmp

memory/1836-47-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

memory/1836-48-0x0000000007AE0000-0x0000000007AF4000-memory.dmp

memory/1836-49-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

memory/1836-50-0x0000000007B20000-0x0000000007B28000-memory.dmp

memory/1836-53-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/1420-55-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1420-56-0x0000000004850000-0x0000000004C52000-memory.dmp

memory/1420-57-0x0000000004C60000-0x000000000554B000-memory.dmp

memory/2628-67-0x0000000005A30000-0x0000000005D84000-memory.dmp

memory/2628-68-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/2628-69-0x00000000707F0000-0x0000000070B44000-memory.dmp

memory/2628-79-0x0000000007110000-0x00000000071B3000-memory.dmp

memory/1420-80-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2628-81-0x0000000007430000-0x0000000007441000-memory.dmp

memory/2628-82-0x0000000007480000-0x0000000007494000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/216-95-0x0000000006380000-0x00000000066D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3da19d611d1951d2365bb1e956f0dc1e
SHA1 dac1f5855717f4144afd440cbd533cafc040e1b4
SHA256 61c8538832cfc881934b1c7a1a2b4e8f4dba6221cf5bdcbc34fbb67b417f17e7
SHA512 111302809051c97b8e8754532c48cd94ba291712f30cc6d52632bddaa2eef7349ad09f0bdf2973e972ee69e9d6ada93499a9ca50d1ad7b83d7bb17ebeb860f96

memory/216-98-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/216-100-0x0000000070810000-0x0000000070B64000-memory.dmp

memory/4616-99-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4376-111-0x0000000005AC0000-0x0000000005E14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8c1c2a6f2e255156e92f7bc5cd2b3618
SHA1 016b87ffb3681ad5518641fbc4fabd4363fff056
SHA256 7bc8aa9afed7ca19bb3bae99f940193048a948c406865b3b2d9ee4a43dcbf313
SHA512 fde884e2c8c2617590a2ab7edde5608f900efadf950eb252aed5058cb608dae2657ae1e5c92839bbe9f7450e201c0055339e9f172df278a91f40863b1cc7191d

memory/4376-122-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/4376-123-0x0000000070E10000-0x0000000071164000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 3a6cc48e7de1864927854fba35372693
SHA1 5f7ed1e404a290f22c40adf1c9e8bb558fe8d2f4
SHA256 cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91
SHA512 4ef54d937033de417ec525f79c7cb5c329bd9e64ccfa5f7c72069296c7932bfd48e94299be9c85fad93ee35e32b4fba510f99160efc8556fba2b32dbf00d03a5

memory/4616-137-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3932-141-0x00000000055F0000-0x0000000005944000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2f50630759f96e957bef7c677e32ccaa
SHA1 6fab7820681c6ecb1e7884de8d71dadd0e8f0d39
SHA256 46b6acf53c122bed29f4d103ff6e0f108e8b7ac755f923d188e92343065af7b8
SHA512 5627709f82d25dd9401617ab747a4fb11ec0abcfe6b722246c3130510c4876cd79f1fd8b07287e1ca8bb3e2e706eb4ae258f558e593139110ce511fe577ed608

memory/3932-152-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/3932-153-0x0000000070DF0000-0x0000000071144000-memory.dmp

memory/2160-173-0x00000000058E0000-0x0000000005C34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 592a75dce0b8b447b0f3f4b9091e7ea0
SHA1 4f587cc3f73c5d4a89cde79e062f213e4d6bd012
SHA256 50e5a5eea733b737ff3f55c816ae189ba02b9c90c67a16ed1bb9d01fb4a524e8
SHA512 529daab7243ebf19743737cffd0fd1c98d65859d862797eb6699fa8c372203c60c429b050aa71d452a7381b87fd50b68b015497a9e38ea7c31e37e3ce890abd0

memory/2160-175-0x0000000006480000-0x00000000064CC000-memory.dmp

memory/2160-176-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/2160-177-0x0000000070760000-0x0000000070AB4000-memory.dmp

memory/2160-187-0x0000000007220000-0x00000000072C3000-memory.dmp

memory/2160-188-0x0000000007530000-0x0000000007541000-memory.dmp

memory/5112-189-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2160-190-0x0000000005DA0000-0x0000000005DB4000-memory.dmp

memory/2732-201-0x00000000059F0000-0x0000000005D44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 56db409f4882e93bf7b64cc38414f5f3
SHA1 54a73c4d6e3a840798b7fdeb5f22ab9839968a3d
SHA256 9ec2dc2cc63f5c4a5a64f1fa50c3f82caeba35e099c10b8ee5a089c45bddf8f2
SHA512 4fb4d1e3f684b1081b129e7e70d40c782f35c3a0d461d48cbfa0ea9e6bee5c8c5e12709e019677374de8a15acdf8a12c57869024ca9195de8600ae6f9b3b8694

memory/2732-203-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/2732-204-0x0000000070710000-0x0000000070A64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/5112-221-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3744-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1996-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3744-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5112-232-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1996-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5112-234-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5112-237-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1996-240-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5112-241-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5112-244-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5112-246-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5112-249-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5112-252-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5112-256-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5112-259-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 09:47

Reported

2024-05-17 09:50

Platform

win11-20240426-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3836 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3836 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3836 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\system32\cmd.exe
PID 2220 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\system32\cmd.exe
PID 1872 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1872 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2220 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\rss\csrss.exe
PID 2220 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\rss\csrss.exe
PID 2220 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe C:\Windows\rss\csrss.exe
PID 4704 wrote to memory of 4304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4704 wrote to memory of 4304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4704 wrote to memory of 4304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4704 wrote to memory of 4824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4704 wrote to memory of 4824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4704 wrote to memory of 4824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4704 wrote to memory of 960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4704 wrote to memory of 960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4704 wrote to memory of 960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4704 wrote to memory of 2436 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4704 wrote to memory of 2436 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4820 wrote to memory of 1436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4820 wrote to memory of 1436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4820 wrote to memory of 1436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1436 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1436 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe

"C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe

"C:\Users\Admin\AppData\Local\Temp\cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 08560c2d-c778-4294-8a31-3b0ece1ef335.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server14.databaseupgrade.ru udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.108:443 server14.databaseupgrade.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.108:443 server14.databaseupgrade.ru tcp
BG 185.82.216.108:443 server14.databaseupgrade.ru tcp

Files

memory/3836-1-0x0000000004950000-0x0000000004D4D000-memory.dmp

memory/3836-2-0x0000000004D50000-0x000000000563B000-memory.dmp

memory/3836-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4220-4-0x000000007433E000-0x000000007433F000-memory.dmp

memory/4220-5-0x00000000051E0000-0x0000000005216000-memory.dmp

memory/4220-6-0x0000000074330000-0x0000000074AE1000-memory.dmp

memory/4220-7-0x0000000074330000-0x0000000074AE1000-memory.dmp

memory/4220-8-0x0000000005950000-0x0000000005F7A000-memory.dmp

memory/4220-9-0x0000000005910000-0x0000000005932000-memory.dmp

memory/4220-10-0x00000000060F0000-0x0000000006156000-memory.dmp

memory/4220-11-0x0000000006160000-0x00000000061C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fwvs41rv.vag.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4220-20-0x00000000062B0000-0x0000000006607000-memory.dmp

memory/4220-21-0x0000000006690000-0x00000000066AE000-memory.dmp

memory/4220-22-0x00000000066D0000-0x000000000671C000-memory.dmp

memory/4220-23-0x0000000006C20000-0x0000000006C66000-memory.dmp

memory/4220-26-0x0000000070720000-0x0000000070A77000-memory.dmp

memory/4220-35-0x0000000074330000-0x0000000074AE1000-memory.dmp

memory/4220-37-0x0000000007B30000-0x0000000007BD4000-memory.dmp

memory/4220-36-0x0000000007B10000-0x0000000007B2E000-memory.dmp

memory/4220-24-0x0000000007AB0000-0x0000000007AE4000-memory.dmp

memory/4220-25-0x00000000705A0000-0x00000000705EC000-memory.dmp

memory/4220-38-0x0000000074330000-0x0000000074AE1000-memory.dmp

memory/4220-40-0x0000000007C60000-0x0000000007C7A000-memory.dmp

memory/4220-39-0x00000000082A0000-0x000000000891A000-memory.dmp

memory/4220-41-0x0000000007CA0000-0x0000000007CAA000-memory.dmp

memory/4220-42-0x0000000007DB0000-0x0000000007E46000-memory.dmp

memory/4220-43-0x0000000007CC0000-0x0000000007CD1000-memory.dmp

memory/4220-45-0x0000000007D20000-0x0000000007D35000-memory.dmp

memory/4220-44-0x0000000007D10000-0x0000000007D1E000-memory.dmp

memory/4220-46-0x0000000007D70000-0x0000000007D8A000-memory.dmp

memory/4220-47-0x0000000007D90000-0x0000000007D98000-memory.dmp

memory/4220-50-0x0000000074330000-0x0000000074AE1000-memory.dmp

memory/3836-52-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3836-53-0x0000000004950000-0x0000000004D4D000-memory.dmp

memory/3836-54-0x0000000004D50000-0x000000000563B000-memory.dmp

memory/1300-55-0x0000000006100000-0x0000000006457000-memory.dmp

memory/1300-65-0x00000000707F0000-0x0000000070B47000-memory.dmp

memory/1300-64-0x00000000705A0000-0x00000000705EC000-memory.dmp

memory/1300-74-0x0000000007840000-0x00000000078E4000-memory.dmp

memory/1300-75-0x0000000007B90000-0x0000000007BA1000-memory.dmp

memory/1300-76-0x0000000007BE0000-0x0000000007BF5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dce06ce3c2a66a4965b7ccab31f8ba35
SHA1 877e5992e06de4db27d9aca3f72a11044cbb7290
SHA256 4dd0f5c8241c78b77f93c618d07283cfa8baaff1eddb9af9c10429420a69de3c
SHA512 e3bf9ff0eb414e2d61046a06ec7cf49028f1b919d2f3accd09dc18c63c1bf7af7c08a590eb482dde9dfafb492ec6734a47d3568a55ec88f44a95ebb02bf60951

memory/3836-91-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2220-90-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2820-92-0x00000000705A0000-0x00000000705EC000-memory.dmp

memory/2820-93-0x0000000070720000-0x0000000070A77000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ae722ff4b42a220532cb2440925efad9
SHA1 1970f7f9fb78c51a530f983f1d6611e83dde569b
SHA256 527cbde0b38fd6f4643bad611fcdd3adb5fe70ba75d244675db7c21b6600a32b
SHA512 7fad9270f60a1e885a27316137866f114ce1a16ee9a36221275abc321d6d60ddfbaded4bee5fae68e67dff1b5075ac92d2f290da9df8d84f61068b73e8d6e2f0

memory/3988-113-0x00000000707F0000-0x0000000070B47000-memory.dmp

memory/3988-112-0x00000000705A0000-0x00000000705EC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 3a6cc48e7de1864927854fba35372693
SHA1 5f7ed1e404a290f22c40adf1c9e8bb558fe8d2f4
SHA256 cd412d6e6bc3e3273a1506e300890f90d3bc0b256b7be187ebe436024859ce91
SHA512 4ef54d937033de417ec525f79c7cb5c329bd9e64ccfa5f7c72069296c7932bfd48e94299be9c85fad93ee35e32b4fba510f99160efc8556fba2b32dbf00d03a5

memory/2220-129-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4d1b464d24bb22ae747e35bd660812df
SHA1 009907924801049f099b19d112d20bd37313e87d
SHA256 e15f9823106bd2d6f19663e7bb244da53a231ac590e07e0855412a7b06d85985
SHA512 5822a145738ca04e09976f0df56cf7fe06d4428e739ccd0f004457c05a5aa16ba0eab6f86795aa17a0dd858af841d0f2e94ec2e007b774305ebb29cb43e8fe5a

memory/4304-139-0x00000000705A0000-0x00000000705EC000-memory.dmp

memory/4304-140-0x00000000707F0000-0x0000000070B47000-memory.dmp

memory/4824-155-0x0000000005D90000-0x00000000060E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 89b8b275ff8c26e3bf0949c81d1e00ab
SHA1 94d578b38cfa30b38a4dc12877b731d70663ced6
SHA256 5a253938bceaef8302a1f7239a68dc0d926cf40bc15da984aadacf715eb1ac06
SHA512 2c32deebc4d45e5361a1be278bd61c5ddf29a4e399a61c5821867c17808ff52085765b96ed51fa6fa95e8f213a131048cda22eba8127a17be7ee2a42180e2aa6

memory/4824-160-0x00000000068B0000-0x00000000068FC000-memory.dmp

memory/4824-161-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/4824-162-0x0000000070710000-0x0000000070A67000-memory.dmp

memory/4824-171-0x0000000007570000-0x0000000007614000-memory.dmp

memory/4824-172-0x00000000078F0000-0x0000000007901000-memory.dmp

memory/4824-173-0x0000000006110000-0x0000000006125000-memory.dmp

memory/960-185-0x0000000005770000-0x0000000005AC7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b8df73ab9d09d91df6d459d9348dfd52
SHA1 f0ec104bbb1cdfc2dd9544fcf9d5588b596c42dc
SHA256 005c26e3a7ca34c1914e1e5f92ab7c2d7d497bb521681c9de77befb822465e3e
SHA512 e08d6b7d4ad17698afb502cd5cc78dfecb9f23c7b0117ddd1e3aac2b398c4ec3bb37b14c2414a24b93cc9fedc6b115002ea2328f698e226b47ee241bb4ab0440

memory/960-187-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/960-188-0x0000000070640000-0x0000000070997000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4704-203-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4820-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4460-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4820-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4704-215-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4460-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4704-218-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4704-222-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4460-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4704-226-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4704-230-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4704-235-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4704-238-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4704-242-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4704-246-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4704-250-0x0000000000400000-0x0000000002B0D000-memory.dmp