Malware Analysis Report

2025-08-10 17:22

Sample ID 240417-tf4wmaeg66
Target 39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890
SHA256 39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890

Threat Level: Known bad

The file 39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 16:00

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 16:00

Reported

2024-04-17 16:03

Platform

win11-20240412-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 236 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 236 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 236 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\system32\cmd.exe
PID 5040 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5040 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4776 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\rss\csrss.exe
PID 4776 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\rss\csrss.exe
PID 4776 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\rss\csrss.exe
PID 1680 wrote to memory of 476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 3840 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 3840 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 3840 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1080 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1680 wrote to memory of 1080 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2900 wrote to memory of 4576 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 4576 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 4576 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4576 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4576 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4576 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe

"C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe

"C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bc126ad1-49fe-4b13-b4d8-b38f1c152498.uuid.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server10.dumperstats.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
NL 74.125.128.127:19302 stun2.l.google.com udp
BG 185.82.216.111:443 server10.dumperstats.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.111:443 server10.dumperstats.org tcp
BG 185.82.216.111:443 server10.dumperstats.org tcp

Files

memory/236-1-0x0000000004F80000-0x000000000537F000-memory.dmp

memory/236-2-0x0000000005380000-0x0000000005C6B000-memory.dmp

memory/236-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1360-5-0x0000000074A10000-0x00000000751C1000-memory.dmp

memory/1360-4-0x00000000049D0000-0x0000000004A06000-memory.dmp

memory/1360-7-0x0000000005140000-0x000000000576A000-memory.dmp

memory/1360-6-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/1360-8-0x0000000005080000-0x00000000050A2000-memory.dmp

memory/1360-9-0x0000000005770000-0x00000000057D6000-memory.dmp

memory/1360-10-0x0000000005890000-0x00000000058F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4ts32ok.0ir.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1360-19-0x0000000005980000-0x0000000005CD7000-memory.dmp

memory/1360-20-0x0000000005E60000-0x0000000005E7E000-memory.dmp

memory/1360-21-0x0000000005E90000-0x0000000005EDC000-memory.dmp

memory/1360-22-0x0000000006E20000-0x0000000006E66000-memory.dmp

memory/1360-23-0x000000007F4B0000-0x000000007F4C0000-memory.dmp

memory/1360-25-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/1360-24-0x0000000007250000-0x0000000007284000-memory.dmp

memory/1360-26-0x0000000070E00000-0x0000000071157000-memory.dmp

memory/1360-35-0x00000000072B0000-0x00000000072CE000-memory.dmp

memory/1360-36-0x00000000072D0000-0x0000000007374000-memory.dmp

memory/1360-37-0x0000000007A40000-0x00000000080BA000-memory.dmp

memory/1360-38-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/1360-39-0x0000000007430000-0x000000000743A000-memory.dmp

memory/1360-40-0x0000000007540000-0x00000000075D6000-memory.dmp

memory/1360-41-0x0000000007450000-0x0000000007461000-memory.dmp

memory/1360-42-0x00000000074A0000-0x00000000074AE000-memory.dmp

memory/1360-43-0x00000000074B0000-0x00000000074C5000-memory.dmp

memory/1360-44-0x0000000007500000-0x000000000751A000-memory.dmp

memory/1360-45-0x0000000007520000-0x0000000007528000-memory.dmp

memory/1360-48-0x0000000074A10000-0x00000000751C1000-memory.dmp

memory/4776-50-0x0000000004E20000-0x000000000521F000-memory.dmp

memory/236-51-0x0000000004F80000-0x000000000537F000-memory.dmp

memory/4776-52-0x0000000005220000-0x0000000005B0B000-memory.dmp

memory/4776-53-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3556-54-0x0000000074A10000-0x00000000751C1000-memory.dmp

memory/3556-55-0x0000000005C50000-0x0000000005FA7000-memory.dmp

memory/236-64-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3556-65-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3556-66-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3556-67-0x000000007F520000-0x000000007F530000-memory.dmp

memory/3556-69-0x0000000070ED0000-0x0000000071227000-memory.dmp

memory/3556-68-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/3556-78-0x00000000073A0000-0x0000000007444000-memory.dmp

memory/3556-79-0x00000000076F0000-0x0000000007701000-memory.dmp

memory/3556-80-0x0000000007740000-0x0000000007755000-memory.dmp

memory/3556-83-0x0000000074A10000-0x00000000751C1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4556-86-0x0000000074A10000-0x00000000751C1000-memory.dmp

memory/4556-90-0x0000000006190000-0x00000000064E7000-memory.dmp

memory/4556-89-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/4556-94-0x00000000051E0000-0x00000000051F0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 547af6e54a0dddf4fb502e605d38c375
SHA1 519d8b4b4330a12b3b85a8068d3a96ed87588bb5
SHA256 e4c899b76cc41fa402e6d8501124f37394e566d780df6598874be6b2f771ac05
SHA512 b74463dfcb81a0e7e57770fdbf2a5387e3abcb95f166cd57688ebde5c7708c3481c09f2b36559829a2cc858144e28ccadbb4b68e2901e1c62d3e575f14f98ee5

memory/4776-99-0x0000000004E20000-0x000000000521F000-memory.dmp

memory/4556-100-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/4556-102-0x0000000070E90000-0x00000000711E7000-memory.dmp

memory/4556-101-0x000000007F000000-0x000000007F010000-memory.dmp

memory/4556-111-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/4556-113-0x0000000074A10000-0x00000000751C1000-memory.dmp

memory/1904-114-0x0000000074A10000-0x00000000751C1000-memory.dmp

memory/1904-120-0x00000000061B0000-0x0000000006507000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7b89f18908a43c369e1d0800efa43a17
SHA1 0a37cac6b86a4313d30ecad52aaee79d618fc311
SHA256 9aa9e1364fa1d78ba735ff84a3c5da156afe5e8ac9e704d45dea122cf1724aba
SHA512 7d54f66ec571b043c3106fc7c854ee93726b6e22a110fc62ab0772a819438be0df32be5e8db8219f6601b65f92d2f31041a9dd5b3e98d08557e143c78c34c3a6

memory/4776-125-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1904-127-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/1904-126-0x000000007FAB0000-0x000000007FAC0000-memory.dmp

memory/1904-128-0x0000000071650000-0x00000000719A7000-memory.dmp

memory/1904-137-0x0000000005540000-0x0000000005550000-memory.dmp

memory/1904-139-0x0000000074A10000-0x00000000751C1000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 611bed5efb6f16974243d16714b8f5e7
SHA1 983c358f76644e4832e4a358617d82cef9fe7442
SHA256 39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890
SHA512 e07e7e20fd7f8d5f59851408ebfd8bdfc024d1a2b8b034a7dbb4c98ef3913a32a3c933b5d20bef9a1c2d608c92c77632372730525f4f8a573072b9501cd06cf4

memory/4776-143-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 08b631e2f0a18f8a9a397eb0e53bce67
SHA1 07d58c9ec091672096767b67f61ef0a8c2289643
SHA256 d130025d641a0739f9b03a8d323625f6688c4ca46c3be4989d13cbb8e0003be8
SHA512 fb36ac6585e9c88957ee74cc72789bf81e41e87b44d7e959cce36d7b4fe0d6e176f3075f97c2eefdbf192ef28451c1d6bfd78ec4904ad1874d006295d1de3e35

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cf80582a7379b9a7c2deadccb7fb23d2
SHA1 18d4cd5e5c0f99b09ee12d29dcf4a11c9cb72b3c
SHA256 29efdce19e72552fb136c064067194189de3b082840df626289ec6217ea89305
SHA512 1fab0f4eab3c70262598c1d9f17798d46e4860576aa870364126f2db1227dfd467891b71e464922850d7df9a0c47b5945780b113c95d6d61bced60febaae2a6e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1f43e9615198ac2def68b395140bcb67
SHA1 2b560152a0f66d925085fe43631ded236e38ec1d
SHA256 5ba373102854cd53d654de0ead035fabc0d7b7a79caf45b2604b057e9c7e558c
SHA512 b885559ab5dfa0dca26c30d7a489c569bc3dfd2df3ab6a8c5a431f26a91361c90d4aced58e94f9c45deb5305395c8d5e1872b59df21a1b8a6ece39c052b6fd62

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1680-239-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2900-248-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1680-249-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1680-251-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4988-252-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1680-254-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4988-257-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1680-258-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1680-261-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1680-264-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1680-267-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1680-270-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1680-272-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1680-275-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1680-279-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1680-282-0x0000000000400000-0x0000000003118000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 16:00

Reported

2024-04-17 16:03

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 408 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 408 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 408 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\system32\cmd.exe
PID 4900 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4900 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1688 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\rss\csrss.exe
PID 1688 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\rss\csrss.exe
PID 1688 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe C:\Windows\rss\csrss.exe
PID 3804 wrote to memory of 3512 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 3512 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 3512 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 2196 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 2196 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 2196 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 4500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 4500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 4500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 3192 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3804 wrote to memory of 3192 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4832 wrote to memory of 3604 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 3604 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 3604 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3604 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3604 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3604 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe

"C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe

"C:\Users\Admin\AppData\Local\Temp\39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 7c2a00f5-17e7-45fd-b8a3-0c9066ffd83f.uuid.dumperstats.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server5.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
BG 185.82.216.111:443 server5.dumperstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 127.210.217.172.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
BG 185.82.216.111:443 server5.dumperstats.org tcp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
BG 185.82.216.111:443 server5.dumperstats.org tcp
BG 185.82.216.111:443 server5.dumperstats.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/408-1-0x0000000004E60000-0x000000000525F000-memory.dmp

memory/408-2-0x0000000005260000-0x0000000005B4B000-memory.dmp

memory/408-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1108-4-0x0000000004B50000-0x0000000004B86000-memory.dmp

memory/1108-6-0x0000000004C60000-0x0000000004C70000-memory.dmp

memory/1108-5-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/1108-7-0x0000000004C60000-0x0000000004C70000-memory.dmp

memory/1108-8-0x00000000052A0000-0x00000000058C8000-memory.dmp

memory/1108-9-0x0000000005240000-0x0000000005262000-memory.dmp

memory/1108-10-0x0000000005940000-0x00000000059A6000-memory.dmp

memory/1108-11-0x00000000059B0000-0x0000000005A16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kwwjkpvy.qv2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1108-21-0x0000000005B10000-0x0000000005E64000-memory.dmp

memory/1108-22-0x0000000006130000-0x000000000614E000-memory.dmp

memory/1108-23-0x0000000006170000-0x00000000061BC000-memory.dmp

memory/1108-24-0x00000000066A0000-0x00000000066E4000-memory.dmp

memory/1108-25-0x0000000007250000-0x00000000072C6000-memory.dmp

memory/1108-26-0x0000000007B80000-0x00000000081FA000-memory.dmp

memory/1108-27-0x0000000007500000-0x000000000751A000-memory.dmp

memory/1108-28-0x000000007F610000-0x000000007F620000-memory.dmp

memory/1108-29-0x00000000076B0000-0x00000000076E2000-memory.dmp

memory/1108-30-0x0000000070CD0000-0x0000000070D1C000-memory.dmp

memory/1108-31-0x00000000710A0000-0x00000000713F4000-memory.dmp

memory/1108-42-0x00000000076F0000-0x000000000770E000-memory.dmp

memory/1108-41-0x0000000004C60000-0x0000000004C70000-memory.dmp

memory/1108-43-0x0000000007710000-0x00000000077B3000-memory.dmp

memory/1108-44-0x0000000007800000-0x000000000780A000-memory.dmp

memory/1108-45-0x00000000078C0000-0x0000000007956000-memory.dmp

memory/1108-46-0x0000000007820000-0x0000000007831000-memory.dmp

memory/1108-47-0x0000000007860000-0x000000000786E000-memory.dmp

memory/1108-48-0x0000000007870000-0x0000000007884000-memory.dmp

memory/1108-49-0x0000000007960000-0x000000000797A000-memory.dmp

memory/1108-50-0x00000000078A0000-0x00000000078A8000-memory.dmp

memory/1108-53-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/1688-55-0x0000000004D30000-0x0000000005138000-memory.dmp

memory/408-56-0x0000000004E60000-0x000000000525F000-memory.dmp

memory/1688-57-0x0000000005140000-0x0000000005A2B000-memory.dmp

memory/1688-58-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5008-59-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/5008-60-0x0000000003080000-0x0000000003090000-memory.dmp

memory/5008-61-0x0000000003080000-0x0000000003090000-memory.dmp

memory/5008-71-0x0000000005FA0000-0x00000000062F4000-memory.dmp

memory/5008-72-0x0000000070CD0000-0x0000000070D1C000-memory.dmp

memory/5008-73-0x0000000071450000-0x00000000717A4000-memory.dmp

memory/408-84-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5008-83-0x0000000007840000-0x00000000078E3000-memory.dmp

memory/5008-85-0x0000000007B20000-0x0000000007B31000-memory.dmp

memory/5008-86-0x0000000007B70000-0x0000000007B84000-memory.dmp

memory/5008-89-0x0000000074E30000-0x00000000755E0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/3428-92-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/3428-93-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/3428-94-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/3428-104-0x0000000005F20000-0x0000000006274000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 79e01fe12c6a073307f8abb597e99337
SHA1 024531766227e15cfce2d1aa4851d5ed8147bf24
SHA256 33238f6abc3473d70b7ba620c6998acb1738718e456e02fd3cfe8ceb08dae363
SHA512 a6995bf9e02c3fab716ca629c2a9bee30500f7061eca767087ff31414db9e3a4bd03edd21ad6cc268880b4453ddeed8b34d036198a4777fb2ff258aea0acebbe

memory/3428-107-0x0000000070CD0000-0x0000000070D1C000-memory.dmp

memory/3428-106-0x000000007F5F0000-0x000000007F600000-memory.dmp

memory/3428-108-0x0000000070E50000-0x00000000711A4000-memory.dmp

memory/1688-118-0x0000000004D30000-0x0000000005138000-memory.dmp

memory/3428-120-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/3252-121-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/3252-122-0x0000000004670000-0x0000000004680000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3505e69ad53c1749c3079036f340026b
SHA1 91688f004aa29c328c39ace759a4a8d5caba449c
SHA256 9c0b50f00ab921d66d0b2a857ef9a3b893b0d934084510a3a6120a5a276a015e
SHA512 24b09a81f31144f8db90443c91d8fcebf7d7585f9edd6f27b299557be1a7a8106eec989f9394965b044c70c2b62c51853261fd87678002fe183696edda4aada7

memory/3252-134-0x0000000071450000-0x00000000717A4000-memory.dmp

memory/3252-133-0x0000000070CD0000-0x0000000070D1C000-memory.dmp

memory/1688-144-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3252-145-0x000000007F000000-0x000000007F010000-memory.dmp

memory/3252-146-0x0000000004670000-0x0000000004680000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 611bed5efb6f16974243d16714b8f5e7
SHA1 983c358f76644e4832e4a358617d82cef9fe7442
SHA256 39e5f969c9d0913d31e2198f9b7926bfd44e7966a24743f43f98d8e6f34f5890
SHA512 e07e7e20fd7f8d5f59851408ebfd8bdfc024d1a2b8b034a7dbb4c98ef3913a32a3c933b5d20bef9a1c2d608c92c77632372730525f4f8a573072b9501cd06cf4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 301fdd7886de75cbe8641932c9072bc3
SHA1 a3853f5fc7da8262f7816f54860e8ecd5651cbd6
SHA256 82d42603fed644f787f2824c55050acad13ec3f80376002ab7e11ea81b86dbd5
SHA512 d3e5a3ff964954659eadb4a1e896f4f64ef8bba687e9ea8b8ce08db391d7f45c14c069dfcbc074401d369221f649b4caaa489aeb5458dc280161a600f0cd71d0

memory/1688-184-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9643b67eacaa0d74292073d07b4ca9be
SHA1 12f2cbb4be4e878d159666c86aa5fe0eb2c5b4ed
SHA256 a5f09f629ab259dadc5591753f71ca30bd84d95a129d75d909b52c0556cee04e
SHA512 29e4540c772896e8caf6312b415cac0efa84795a9c8b4c0e447fd45b788ae1a3069ae7ee5577b147c23bc0043dbfb7944f9c3fc11cef1af889b01a3395f4c475

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0ad61e195819ff2e927f65ed0ef4db2b
SHA1 74d07f964eea15c8e1b1de47f8c7c33d22c0b5fb
SHA256 2fd1f4fece1e6d6c26c11b5f551437bcc26a26457f38238a3ecde62b9a2be949
SHA512 659e381021f54586faad40d4b4b8fc3d190fc8d946f70e0381360c39599f3cac3938bb6d01f99de0b54ff62d633fa3c9977e8b03a1d2a89d6aac0c184bd660a8

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3804-255-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4832-265-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3804-266-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1928-269-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3804-270-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3804-274-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1928-277-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3804-278-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3804-282-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3804-286-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3804-290-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3804-294-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3804-298-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3804-302-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3804-306-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3804-310-0x0000000000400000-0x0000000003118000-memory.dmp