Malware Analysis Report

2025-08-10 17:22

Sample ID 240417-s78hfsfh6v
Target e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349
SHA256 e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349

Threat Level: Known bad

The file e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 15:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 15:47

Reported

2024-04-17 15:49

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\system32\cmd.exe
PID 3624 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2628 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3624 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\rss\csrss.exe
PID 3624 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\rss\csrss.exe
PID 3624 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\rss\csrss.exe
PID 2488 wrote to memory of 1108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 2264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 2264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 2264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 4668 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2488 wrote to memory of 4668 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3208 wrote to memory of 3428 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 3428 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 3428 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3428 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3428 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3428 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe

"C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe

"C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 202.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
NL 23.62.61.147:443 www.bing.com tcp
US 8.8.8.8:53 147.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 b8ebd484-e7fc-47f9-ab29-00e0cd828fd6.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 16.244.122.92.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server2.databaseupgrade.ru udp
BG 185.82.216.108:443 server2.databaseupgrade.ru tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
BE 172.253.120.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 127.120.253.172.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server2.databaseupgrade.ru tcp
US 8.8.8.8:53 9.244.122.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/2684-1-0x0000000004E60000-0x0000000005265000-memory.dmp

memory/2684-2-0x0000000005270000-0x0000000005B5B000-memory.dmp

memory/2684-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3100-4-0x0000000074960000-0x0000000075110000-memory.dmp

memory/3100-5-0x0000000002FE0000-0x0000000003016000-memory.dmp

memory/3100-6-0x0000000003040000-0x0000000003050000-memory.dmp

memory/3100-7-0x00000000056C0000-0x0000000005CE8000-memory.dmp

memory/3100-8-0x0000000005600000-0x0000000005622000-memory.dmp

memory/3100-9-0x0000000005EE0000-0x0000000005F46000-memory.dmp

memory/3100-12-0x0000000005F50000-0x0000000005FB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45jwxl0r.ofe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3100-20-0x0000000006140000-0x0000000006494000-memory.dmp

memory/3100-21-0x0000000006660000-0x000000000667E000-memory.dmp

memory/3100-22-0x00000000066B0000-0x00000000066FC000-memory.dmp

memory/3100-23-0x0000000007780000-0x00000000077C4000-memory.dmp

memory/2684-24-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3100-25-0x0000000003040000-0x0000000003050000-memory.dmp

memory/3100-26-0x0000000007990000-0x0000000007A06000-memory.dmp

memory/3100-27-0x0000000008090000-0x000000000870A000-memory.dmp

memory/3100-28-0x0000000007A30000-0x0000000007A4A000-memory.dmp

memory/3100-29-0x000000007FA30000-0x000000007FA40000-memory.dmp

memory/3100-30-0x0000000007BE0000-0x0000000007C12000-memory.dmp

memory/3100-31-0x0000000070800000-0x000000007084C000-memory.dmp

memory/3100-32-0x0000000070980000-0x0000000070CD4000-memory.dmp

memory/3100-42-0x0000000007BC0000-0x0000000007BDE000-memory.dmp

memory/3100-43-0x0000000007C20000-0x0000000007CC3000-memory.dmp

memory/3100-44-0x0000000007D10000-0x0000000007D1A000-memory.dmp

memory/3100-45-0x0000000007E20000-0x0000000007EB6000-memory.dmp

memory/3100-46-0x0000000007D20000-0x0000000007D31000-memory.dmp

memory/3100-47-0x0000000007D60000-0x0000000007D6E000-memory.dmp

memory/3100-48-0x0000000007D80000-0x0000000007D94000-memory.dmp

memory/3100-49-0x0000000007DC0000-0x0000000007DDA000-memory.dmp

memory/3100-50-0x0000000007DB0000-0x0000000007DB8000-memory.dmp

memory/2684-53-0x0000000004E60000-0x0000000005265000-memory.dmp

memory/3100-54-0x0000000074960000-0x0000000075110000-memory.dmp

memory/2684-56-0x0000000005270000-0x0000000005B5B000-memory.dmp

memory/3624-57-0x0000000004D40000-0x000000000513D000-memory.dmp

memory/2684-58-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3624-59-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2684-61-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3684-62-0x0000000074960000-0x0000000075110000-memory.dmp

memory/3684-63-0x0000000003030000-0x0000000003040000-memory.dmp

memory/3624-73-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3684-74-0x0000000003030000-0x0000000003040000-memory.dmp

memory/3684-75-0x0000000070800000-0x000000007084C000-memory.dmp

memory/3684-76-0x0000000070980000-0x0000000070CD4000-memory.dmp

memory/3684-86-0x0000000007750000-0x00000000077F3000-memory.dmp

memory/3684-87-0x0000000007A70000-0x0000000007A81000-memory.dmp

memory/3684-88-0x0000000007AC0000-0x0000000007AD4000-memory.dmp

memory/3684-91-0x0000000074960000-0x0000000075110000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4256-94-0x0000000074960000-0x0000000075110000-memory.dmp

memory/4256-95-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/4256-96-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/4256-97-0x0000000005F70000-0x00000000062C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 47efdcf0f1b4f9dfcbe56b20634d7be9
SHA1 c7624446156cbcc7e54f4a024fca55efdea01d14
SHA256 06a0dfe9d541a73de45257e16ebe5878bbaf3b08191f3cb53250c5d73f5d2800
SHA512 2b464529cad86a3f011034663eacef2e07aa63a0a11cb178c30039ae255019dba1994f422d61005692c67c4d739123aa2ab8947316c1a3d2b51101c2353cc34b

memory/3624-108-0x0000000004D40000-0x000000000513D000-memory.dmp

memory/4256-109-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/4256-110-0x0000000070800000-0x000000007084C000-memory.dmp

memory/4256-111-0x0000000070F80000-0x00000000712D4000-memory.dmp

memory/3624-121-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4256-122-0x000000007F5C0000-0x000000007F5D0000-memory.dmp

memory/4256-124-0x0000000074960000-0x0000000075110000-memory.dmp

memory/3624-125-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2020-126-0x0000000074960000-0x0000000075110000-memory.dmp

memory/2020-127-0x0000000003070000-0x0000000003080000-memory.dmp

memory/2020-128-0x0000000003070000-0x0000000003080000-memory.dmp

memory/2020-134-0x00000000060A0000-0x00000000063F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 75fa12fc28e58782320906dfe106fba2
SHA1 bcedc25916b1a5cf9819eaa06a165577f1d7555d
SHA256 0101a472d2d12895d8881e07e0168a1f2a73b9c2553a7bc6379fa6b667148803
SHA512 c15effb2dfa192647119be0360fc08ac768bb97ecd6c455f8921a2f24726a342d68e9615cc95d119e5193c18223df4f8053a9b04ef26d82acedfebb4528c8b78

memory/2020-140-0x0000000003070000-0x0000000003080000-memory.dmp

memory/2020-142-0x0000000070800000-0x000000007084C000-memory.dmp

memory/2020-143-0x0000000070FA0000-0x00000000712F4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1668ccef2fc9bdcfc1defa824c8e5a81
SHA1 956525e1188ea6a6935f105a60f57b93ef53e633
SHA256 e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349
SHA512 231b31ae22bb5459c6cf5f5c8baa3e897522678b50a727ac5acc51bf70520c0af2a9a47e15b87fa56da3ce87bf87305f45ac020094eb895b2a73b0b1c54b51d1

memory/3624-160-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 28ebf3514c858c43f6139f46831a5cbb
SHA1 8c9b215e4c6f2f8a497d82ccc0d23465f71492b8
SHA256 4a9faa3c61781a37ae434370cdd7f2c5a4a9893cd3fd754491effcb7fd066014
SHA512 b0fac6220438bce0000ed6d4063bd7cf7e9ce66e4f8b6e429f83adbae87c513c5a60cdf5c7f89623587ea12a381adf232fd3516468f97aa853e1b0f6374b2d66

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bc5044b5c1f543b1124f3400fdac5d90
SHA1 0c87a570fb67ae8d2c76c3ade737b959638b3d86
SHA256 23298fea359daf8b5716f0ad91c7c490901ee122f9e249df7d4bfff078ec29d1
SHA512 da89c174d52e4d38d10d864eee83f8b4d18501ea5dc446e4dd54c7cc8580a4d9961a1072950ccd04169281cde2d03057019b90438c172c5bb15e8acdb307c9c4

memory/2488-224-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8861e9ffd69ecc7419e0b66e7cc231ad
SHA1 a3f51452c576e833d79c75944422076a3b7e5fc0
SHA256 a373e2e7a927eb54b6aa87e7e70dcba3715c148a219c5e8fcd60663f1805f93c
SHA512 1822f05fe13dadaa6f773d2d96b25a9ea6cc762a25bcdfe42d4c2378cf43d20622015d4e337908acb8d2a7c82fee05d156062044e629b2f083f8b9fb3b0a3468

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2488-259-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3208-267-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2488-269-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3904-270-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2488-272-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2488-275-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3904-277-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2488-278-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2488-281-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2488-284-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2488-287-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2488-290-0x0000000000400000-0x0000000003118000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 15:47

Reported

2024-04-17 15:49

Platform

win11-20240412-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5016 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\system32\cmd.exe
PID 1012 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\system32\cmd.exe
PID 1264 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1264 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1012 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\rss\csrss.exe
PID 1012 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\rss\csrss.exe
PID 1012 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe C:\Windows\rss\csrss.exe
PID 4968 wrote to memory of 3112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3608 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3608 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3608 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1628 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4968 wrote to memory of 1628 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2812 wrote to memory of 3524 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 3524 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 3524 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3524 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3524 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe

"C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe

"C:\Users\Admin\AppData\Local\Temp\e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server15.databaseupgrade.ru udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BE 172.253.120.127:19302 stun1.l.google.com udp
BG 185.82.216.108:443 server15.databaseupgrade.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server15.databaseupgrade.ru tcp
BG 185.82.216.108:443 server15.databaseupgrade.ru tcp

Files

memory/5016-1-0x0000000004F60000-0x0000000005360000-memory.dmp

memory/5016-2-0x0000000005360000-0x0000000005C4B000-memory.dmp

memory/5016-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2896-4-0x0000000004D90000-0x0000000004DC6000-memory.dmp

memory/2896-5-0x00000000742F0000-0x0000000074AA1000-memory.dmp

memory/2896-6-0x0000000005510000-0x0000000005B3A000-memory.dmp

memory/2896-7-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/2896-8-0x00000000053A0000-0x00000000053C2000-memory.dmp

memory/2896-9-0x0000000005BB0000-0x0000000005C16000-memory.dmp

memory/2896-10-0x0000000005C20000-0x0000000005C86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iwk10xdb.q1k.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2896-16-0x0000000005C90000-0x0000000005FE7000-memory.dmp

memory/2896-20-0x0000000006260000-0x000000000627E000-memory.dmp

memory/2896-21-0x0000000006290000-0x00000000062DC000-memory.dmp

memory/2896-22-0x0000000006770000-0x00000000067B6000-memory.dmp

memory/2896-23-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/2896-25-0x0000000007710000-0x0000000007744000-memory.dmp

memory/2896-26-0x0000000070560000-0x00000000705AC000-memory.dmp

memory/2896-27-0x0000000070880000-0x0000000070BD7000-memory.dmp

memory/2896-36-0x00000000076F0000-0x000000000770E000-memory.dmp

memory/2896-37-0x0000000007750000-0x00000000077F4000-memory.dmp

memory/5016-24-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2896-38-0x000000007F7F0000-0x000000007F800000-memory.dmp

memory/2896-39-0x0000000007EC0000-0x000000000853A000-memory.dmp

memory/2896-40-0x0000000007880000-0x000000000789A000-memory.dmp

memory/2896-41-0x00000000078C0000-0x00000000078CA000-memory.dmp

memory/2896-42-0x00000000079A0000-0x0000000007A36000-memory.dmp

memory/2896-43-0x0000000007910000-0x0000000007921000-memory.dmp

memory/2896-44-0x0000000007950000-0x000000000795E000-memory.dmp

memory/2896-45-0x0000000007960000-0x0000000007975000-memory.dmp

memory/2896-46-0x0000000007A60000-0x0000000007A7A000-memory.dmp

memory/5016-48-0x0000000004F60000-0x0000000005360000-memory.dmp

memory/5016-49-0x0000000005360000-0x0000000005C4B000-memory.dmp

memory/2896-51-0x0000000007A50000-0x0000000007A58000-memory.dmp

memory/2896-54-0x00000000742F0000-0x0000000074AA1000-memory.dmp

memory/1012-56-0x0000000004E40000-0x000000000523F000-memory.dmp

memory/1012-57-0x0000000005240000-0x0000000005B2B000-memory.dmp

memory/1012-58-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3092-59-0x0000000002660000-0x0000000002670000-memory.dmp

memory/3092-60-0x00000000742F0000-0x0000000074AA1000-memory.dmp

memory/5016-61-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3092-62-0x0000000002660000-0x0000000002670000-memory.dmp

memory/3092-71-0x0000000005970000-0x0000000005CC7000-memory.dmp

memory/3092-72-0x0000000002660000-0x0000000002670000-memory.dmp

memory/3092-73-0x0000000070560000-0x00000000705AC000-memory.dmp

memory/3092-74-0x00000000706E0000-0x0000000070A37000-memory.dmp

memory/3092-83-0x0000000007080000-0x0000000007124000-memory.dmp

memory/3092-84-0x0000000007390000-0x00000000073A1000-memory.dmp

memory/3092-86-0x00000000073E0000-0x00000000073F5000-memory.dmp

memory/1012-87-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3092-90-0x00000000742F0000-0x0000000074AA1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4032-92-0x00000000742F0000-0x0000000074AA1000-memory.dmp

memory/4032-93-0x0000000003390000-0x00000000033A0000-memory.dmp

memory/4032-94-0x00000000062C0000-0x0000000006617000-memory.dmp

memory/1012-95-0x0000000004E40000-0x000000000523F000-memory.dmp

memory/4032-96-0x0000000003390000-0x00000000033A0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 359721ecdc10c9aa23a078090fc93535
SHA1 07be1e5ab52f616d64d90bcee23fd29725ab367e
SHA256 bed1586bc98c91462d68fc828402df28cfcf82f044302c0dff588bb85237dbdc
SHA512 0df472f8bc51a97529635db316e89aa8c35df60dbbcc8a398a0a1471df379489c266fb1398fcd5e6df067a33bf671130d3cb29f03dc6c30d70cea5d96e12f979

memory/1012-106-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4032-107-0x0000000003390000-0x00000000033A0000-memory.dmp

memory/4032-108-0x0000000070560000-0x00000000705AC000-memory.dmp

memory/4032-109-0x00000000707B0000-0x0000000070B07000-memory.dmp

memory/1012-119-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4032-121-0x00000000742F0000-0x0000000074AA1000-memory.dmp

memory/5108-122-0x00000000742F0000-0x0000000074AA1000-memory.dmp

memory/5108-124-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

memory/5108-123-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

memory/5108-130-0x0000000005980000-0x0000000005CD7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 57b7ad95237f7e2c33f991b915f87929
SHA1 dfffc40d553264d15dcc836c0e9019184cb2dd54
SHA256 da2f71f0ec421ae5c94c0a0268f6fba92e793799f75b98ac8f6ef4f635b46954
SHA512 b05aa89c552f58773015eb6a394969f23ed3d46f3db1dc0f8ee0987d3a925dd39927ffd4e99fd943379d3d7a73c8c33e708965f390745e88d3d842f97b1c6f2c

memory/5108-135-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

memory/5108-136-0x0000000070560000-0x00000000705AC000-memory.dmp

memory/5108-137-0x0000000070750000-0x0000000070AA7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1668ccef2fc9bdcfc1defa824c8e5a81
SHA1 956525e1188ea6a6935f105a60f57b93ef53e633
SHA256 e557ec68d2de589e9acfae0ca6eafca3b1d96b41b8ec0307a0b75a193551a349
SHA512 231b31ae22bb5459c6cf5f5c8baa3e897522678b50a727ac5acc51bf70520c0af2a9a47e15b87fa56da3ce87bf87305f45ac020094eb895b2a73b0b1c54b51d1

memory/1012-153-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b85c2fec40fd8983560883c9dcf592ea
SHA1 0bd0e10db4c3a68aead5482173eb05c39de9ad28
SHA256 ace2c475f584881586a3b1229d4ffb11af40fae1d0bd82bde1b82a099ff02883
SHA512 19dfe8abc5d9b1994f95a9e3f40424d09ca810355c024056c612df5ce640a311241d4ac885e4a2fa2f9b2626b8f4fc09018cba214c43e87dad1e973054441beb

memory/4968-183-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cdb23267396e1c0b470d9f73686599bb
SHA1 de28c14c925114c57e61cb0a3607049c0e3b1a01
SHA256 1d4984e6a4703f3f6f6b6fbc5d82754310af6298820c30a713d24a9be3a9949c
SHA512 df119116fb5ef2d360223df4426403e4813618a170cd26689687dc8826aac48a98a94ac6da4d0bf71a752ae95d153b8b7ab3253a99a8f3942d79bb2289e9cab6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 96f96ee49dcb2136462a33a87bd4a702
SHA1 1a1bf6ddb6c70761f03ba210425a0945038b410a
SHA256 271dabebf0b1dcdd01679c39142d5ad25a0e210a149d34b96485323311f6acb8
SHA512 22b0b654d8c25a2e2717df6a8fd18dbfd4ec5425b9d29a2f7dba4c1b889cd9990066ec19f0dd9282d3aaf294058ef9cb6a1c86b1783065b9b3e1a667ca9fc45a

memory/4968-245-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4968-254-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2812-263-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4968-265-0x0000000000400000-0x0000000003118000-memory.dmp

memory/784-267-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4968-270-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4968-274-0x0000000000400000-0x0000000003118000-memory.dmp

memory/784-275-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4968-278-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4968-282-0x0000000000400000-0x0000000003118000-memory.dmp