Malware Analysis Report

2025-08-05 12:18

Sample ID 240419-2rf8psad8v
Target e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743
SHA256 e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743

Threat Level: Known bad

The file e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Program crash

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 22:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 22:48

Reported

2024-04-19 22:51

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4524 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\system32\cmd.exe
PID 4516 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\system32\cmd.exe
PID 4576 wrote to memory of 4976 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4576 wrote to memory of 4976 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4516 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\rss\csrss.exe
PID 4516 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\rss\csrss.exe
PID 4516 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\rss\csrss.exe
PID 5020 wrote to memory of 4776 N/A C:\Windows\rss\csrss.exe C:\Windows\System32\sihclient.exe
PID 5020 wrote to memory of 4776 N/A C:\Windows\rss\csrss.exe C:\Windows\System32\sihclient.exe
PID 5020 wrote to memory of 4776 N/A C:\Windows\rss\csrss.exe C:\Windows\System32\sihclient.exe
PID 5020 wrote to memory of 4280 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 4280 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 4280 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 416 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 416 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 416 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 1268 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5020 wrote to memory of 1268 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 748 wrote to memory of 4592 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 4592 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 4592 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4592 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4592 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe

"C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe

"C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4524 -ip 4524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv o2DV1v+jwUG2TY80ND5F0g.0.2

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 96bfac09-5be4-4d52-b9f9-ee2810cca2f5.uuid.statscreate.org udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server8.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.96:443 server8.statscreate.org tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 208.14.97.104.in-addr.arpa udp
US 20.189.173.11:443 tcp
US 199.232.210.172:80 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
BG 185.82.216.96:443 server8.statscreate.org tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
BG 185.82.216.96:443 server8.statscreate.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
N/A 127.0.0.1:31465 tcp

Files

memory/4524-1-0x0000000003C50000-0x0000000004052000-memory.dmp

memory/4524-2-0x0000000004060000-0x000000000494B000-memory.dmp

memory/4524-3-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1164-4-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/1164-5-0x0000000004AC0000-0x0000000004AF6000-memory.dmp

memory/1164-6-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/1164-7-0x0000000005130000-0x0000000005758000-memory.dmp

memory/1164-8-0x00000000050A0000-0x00000000050C2000-memory.dmp

memory/1164-15-0x0000000005A30000-0x0000000005A96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g5yeo2je.tsu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1164-9-0x00000000059C0000-0x0000000005A26000-memory.dmp

memory/1164-20-0x0000000005AA0000-0x0000000005DF4000-memory.dmp

memory/1164-21-0x00000000060E0000-0x00000000060FE000-memory.dmp

memory/1164-22-0x00000000062E0000-0x000000000632C000-memory.dmp

memory/1164-23-0x0000000006620000-0x0000000006664000-memory.dmp

memory/1164-24-0x0000000007420000-0x0000000007496000-memory.dmp

memory/1164-25-0x0000000007B20000-0x000000000819A000-memory.dmp

memory/1164-26-0x00000000074A0000-0x00000000074BA000-memory.dmp

memory/1164-28-0x000000007F060000-0x000000007F070000-memory.dmp

memory/1164-27-0x0000000007660000-0x0000000007692000-memory.dmp

memory/1164-29-0x00000000703D0000-0x000000007041C000-memory.dmp

memory/1164-30-0x0000000070550000-0x00000000708A4000-memory.dmp

memory/1164-41-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/1164-40-0x00000000076A0000-0x00000000076BE000-memory.dmp

memory/1164-42-0x00000000076C0000-0x0000000007763000-memory.dmp

memory/1164-43-0x00000000077B0000-0x00000000077BA000-memory.dmp

memory/1164-44-0x0000000007870000-0x0000000007906000-memory.dmp

memory/1164-45-0x00000000077D0000-0x00000000077E1000-memory.dmp

memory/1164-46-0x0000000007810000-0x000000000781E000-memory.dmp

memory/1164-47-0x0000000007820000-0x0000000007834000-memory.dmp

memory/1164-48-0x0000000007910000-0x000000000792A000-memory.dmp

memory/1164-49-0x0000000007860000-0x0000000007868000-memory.dmp

memory/1164-52-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4524-54-0x0000000003C50000-0x0000000004052000-memory.dmp

memory/4516-55-0x0000000003B10000-0x0000000003F0E000-memory.dmp

memory/4516-56-0x0000000003F10000-0x00000000047FB000-memory.dmp

memory/4516-57-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4524-58-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1292-59-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/1292-60-0x0000000002A90000-0x0000000002AA0000-memory.dmp

memory/1292-61-0x0000000002A90000-0x0000000002AA0000-memory.dmp

memory/1292-71-0x0000000005BD0000-0x0000000005F24000-memory.dmp

memory/1292-72-0x00000000060A0000-0x00000000060EC000-memory.dmp

memory/1292-73-0x000000007F780000-0x000000007F790000-memory.dmp

memory/1292-74-0x00000000704D0000-0x000000007051C000-memory.dmp

memory/1292-75-0x0000000070650000-0x00000000709A4000-memory.dmp

memory/1292-85-0x0000000002A90000-0x0000000002AA0000-memory.dmp

memory/1292-86-0x0000000002A90000-0x0000000002AA0000-memory.dmp

memory/1292-87-0x00000000072B0000-0x0000000007353000-memory.dmp

memory/1292-88-0x00000000075D0000-0x00000000075E1000-memory.dmp

memory/1292-89-0x0000000007620000-0x0000000007634000-memory.dmp

memory/1292-92-0x0000000074530000-0x0000000074CE0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/2472-95-0x0000000002CF0000-0x0000000002D00000-memory.dmp

memory/2472-94-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/2472-96-0x0000000002CF0000-0x0000000002D00000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 afd5ed75312d035ee9bc232e59af8890
SHA1 3f1c0dbb5906dbcc1ee5ef2e6d0ad9d4dd6032c9
SHA256 3536e57ecd360b92aed64a653426433c63115936639788a3d851d41d558c175d
SHA512 5ee9f269ec4299efd21bf50969637cf4875ec390d4a98dfe2bc735fe3fb90abbabe09e69148cdfed2ae401180278e21629ae75eb3f7eaf338dbc45a197d3bcfc

memory/2472-107-0x00000000704D0000-0x000000007051C000-memory.dmp

memory/2472-108-0x0000000070650000-0x00000000709A4000-memory.dmp

memory/2472-118-0x0000000002CF0000-0x0000000002D00000-memory.dmp

memory/2472-120-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3144-121-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4516-131-0x0000000003B10000-0x0000000003F0E000-memory.dmp

memory/3144-133-0x0000000005760000-0x0000000005AB4000-memory.dmp

memory/3144-134-0x0000000004820000-0x0000000004830000-memory.dmp

memory/3144-132-0x0000000004820000-0x0000000004830000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7132fd819afc98ddb973c0822de36064
SHA1 2de20ed461d47179d4946a957b6d951615f58c1a
SHA256 af812d014e8c458d560776ccd02b6d51bdd5863bb67334ed5454d8e2709e51db
SHA512 a1af051797e50d8cc3eb9bd33134c0775765eeb22e7ffed0f51f3f1939741f861a8c73388c2fd384392f050ba535b8c5942301842a8a5c992585661231b69ae4

memory/3144-136-0x00000000704D0000-0x000000007051C000-memory.dmp

memory/3144-137-0x0000000070C80000-0x0000000070FD4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7c5db887e99d14244e2d8616c6229523
SHA1 5b4c40ce8699f97e244fd3e8b7c13d1872308b92
SHA256 e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743
SHA512 fa33743263ffe875009e912895c91716f04b4346f8e519135bd6935a4a8a5b11948f1c431a1afa2242dee6428ae90871d0bd1c52ee36a3240cf7fdaa61e15f99

memory/4516-154-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dd2616ae6adfb7be9cae5d70cd4e16a6
SHA1 dfd429909fe66db2d3c6fa54a4daf5be9e7c8be4
SHA256 28c011b7b810d08a0bd939b160e69414c36d6272385d2437fca5741afc738cb6
SHA512 1a7e4ccad5b6d3de0d6010dafe2d2efcbff3e08766359b0a207c32ef0c8d96574192ddc195ec5a9e1d7999947fd94eb31a5d9777860fab7ad1b94a5650307136

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 897c650b2cbcb046423892857e7510d0
SHA1 b98b4dfa4e89b3a587ebb66804a365b698a08dc0
SHA256 cde97d959238c3635ef263521eb81827cdd0d3202b2390e1d3786b16fb2ddcb2
SHA512 c603bfa6fc4820e94438c750808bcfa3e7445165361c0f4836fc7ea4a5eeefaea34a74eaeddbe483fc124242773d07ceee0730e60cfb4b5eebbe366a9bbb126b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 34ac01ca586a5771085560c8423347b2
SHA1 f8c281a7289c21e429d2aa5648a477a113440a87
SHA256 911eb7013b8baaf85c50e86fe20b96fbafc100fe2628d7ff6348776189a48f49
SHA512 36f0a0faebd08cc338be0a8cf2005d4cae8844cd842e20f2ee36026c8e7dcf9e68bd273280f0d3e1ab3e4038a0ea1a870637d525e8d3b2520872d27ee16b438e

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/5020-260-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/748-268-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5020-269-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4568-270-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5020-271-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/5020-273-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4568-274-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5020-275-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/5020-277-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/5020-279-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4568-280-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5020-281-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/5020-282-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/5020-285-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/5020-287-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/5020-289-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/5020-291-0x0000000000400000-0x0000000001E06000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 22:48

Reported

2024-04-19 22:51

Platform

win11-20240412-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 5892 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 5892 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 5892 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 2072 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 4924 wrote to memory of 3204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4924 wrote to memory of 3204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2072 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\rss\csrss.exe
PID 2072 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\rss\csrss.exe
PID 2072 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe C:\Windows\rss\csrss.exe
PID 6056 wrote to memory of 3892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 6056 wrote to memory of 3892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 6056 wrote to memory of 3892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 6056 wrote to memory of 1800 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 6056 wrote to memory of 1800 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 6056 wrote to memory of 1800 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 6056 wrote to memory of 1440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 6056 wrote to memory of 1440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 6056 wrote to memory of 1440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 6056 wrote to memory of 3760 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 6056 wrote to memory of 3760 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5764 wrote to memory of 3812 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5764 wrote to memory of 3812 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5764 wrote to memory of 3812 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3812 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3812 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3812 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe

"C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe

"C:\Users\Admin\AppData\Local\Temp\e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
BG 185.82.216.96:443 server6.statscreate.org tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 172.67.221.71:443 carsalessystem.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.96:443 server6.statscreate.org tcp
BG 185.82.216.96:443 server6.statscreate.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/4908-1-0x0000000003DA0000-0x00000000041A6000-memory.dmp

memory/4908-2-0x00000000041B0000-0x0000000004A9B000-memory.dmp

memory/4908-3-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3156-4-0x00000000047F0000-0x0000000004826000-memory.dmp

memory/3156-5-0x00000000747F0000-0x0000000074FA1000-memory.dmp

memory/3156-6-0x00000000047E0000-0x00000000047F0000-memory.dmp

memory/3156-7-0x00000000047E0000-0x00000000047F0000-memory.dmp

memory/3156-8-0x0000000004E60000-0x000000000548A000-memory.dmp

memory/3156-9-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

memory/3156-10-0x0000000005590000-0x00000000055F6000-memory.dmp

memory/3156-11-0x0000000005670000-0x00000000056D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gzzkuggf.bcg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3156-20-0x00000000057C0000-0x0000000005B17000-memory.dmp

memory/3156-21-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

memory/3156-22-0x0000000005CC0000-0x0000000005D0C000-memory.dmp

memory/3156-23-0x0000000006240000-0x0000000006286000-memory.dmp

memory/3156-26-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/3156-27-0x0000000070BE0000-0x0000000070F37000-memory.dmp

memory/3156-25-0x00000000070B0000-0x00000000070E4000-memory.dmp

memory/3156-24-0x000000007F1B0000-0x000000007F1C0000-memory.dmp

memory/3156-37-0x00000000047E0000-0x00000000047F0000-memory.dmp

memory/3156-38-0x0000000007110000-0x00000000071B4000-memory.dmp

memory/3156-36-0x00000000070F0000-0x000000000710E000-memory.dmp

memory/3156-39-0x0000000007880000-0x0000000007EFA000-memory.dmp

memory/3156-40-0x0000000007240000-0x000000000725A000-memory.dmp

memory/3156-41-0x0000000007280000-0x000000000728A000-memory.dmp

memory/3156-42-0x0000000007390000-0x0000000007426000-memory.dmp

memory/3156-43-0x00000000072A0000-0x00000000072B1000-memory.dmp

memory/3156-44-0x00000000072F0000-0x00000000072FE000-memory.dmp

memory/3156-45-0x0000000007300000-0x0000000007315000-memory.dmp

memory/3156-46-0x0000000007350000-0x000000000736A000-memory.dmp

memory/3156-47-0x0000000007370000-0x0000000007378000-memory.dmp

memory/3156-50-0x00000000747F0000-0x0000000074FA1000-memory.dmp

memory/4908-51-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2072-54-0x0000000003B80000-0x0000000003F87000-memory.dmp

memory/4908-53-0x00000000041B0000-0x0000000004A9B000-memory.dmp

memory/2072-55-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/5892-65-0x0000000005070000-0x0000000005080000-memory.dmp

memory/5892-66-0x0000000005070000-0x0000000005080000-memory.dmp

memory/5892-67-0x0000000005F60000-0x00000000062B7000-memory.dmp

memory/5892-64-0x0000000074890000-0x0000000075041000-memory.dmp

memory/5892-68-0x0000000006310000-0x000000000635C000-memory.dmp

memory/5892-69-0x000000007EEF0000-0x000000007EF00000-memory.dmp

memory/5892-71-0x0000000070CF0000-0x0000000071047000-memory.dmp

memory/5892-70-0x0000000070B70000-0x0000000070BBC000-memory.dmp

memory/5892-81-0x0000000005070000-0x0000000005080000-memory.dmp

memory/5892-82-0x0000000005070000-0x0000000005080000-memory.dmp

memory/5892-80-0x00000000074D0000-0x0000000007574000-memory.dmp

memory/5892-83-0x0000000007800000-0x0000000007811000-memory.dmp

memory/5892-84-0x0000000007850000-0x0000000007865000-memory.dmp

memory/5892-87-0x0000000074890000-0x0000000075041000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/3552-89-0x0000000074890000-0x0000000075041000-memory.dmp

memory/3552-91-0x0000000005F50000-0x00000000062A7000-memory.dmp

memory/3552-92-0x0000000004F20000-0x0000000004F30000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e09d05ce885c46e6aa918a37d890ff44
SHA1 90cee1d9c2a1f96b6c4ad69b0b8fce1bb1d05a66
SHA256 02056f2049c15b4e91018a850a06cc4cec8efe8c5c865f3212ea861a2fcacc94
SHA512 9539a8bb56e9c71c1d4dc7c77cd066691389b0d684766116272884402c4277412f154dc61b97e22908ee9f29012768dc2106a744da77ba5ad0de03fc1f4774d6

memory/3552-90-0x0000000004F20000-0x0000000004F30000-memory.dmp

memory/2072-113-0x0000000003B80000-0x0000000003F87000-memory.dmp

memory/3552-114-0x0000000004F20000-0x0000000004F30000-memory.dmp

memory/3552-104-0x0000000070DC0000-0x0000000071117000-memory.dmp

memory/3552-103-0x0000000070B70000-0x0000000070BBC000-memory.dmp

memory/3552-102-0x000000007F400000-0x000000007F410000-memory.dmp

memory/3552-116-0x0000000074890000-0x0000000075041000-memory.dmp

memory/1840-117-0x0000000074890000-0x0000000075041000-memory.dmp

memory/1840-118-0x0000000002580000-0x0000000002590000-memory.dmp

memory/1840-127-0x0000000002580000-0x0000000002590000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1d19f8574c3b72a6e072f5fc381965bb
SHA1 d5deadce85c7224a7e645f613a1f1676d8eb0474
SHA256 652b89761f5cbfb31243a4bbce2a78468f04b924735a74f69677e597bcce786a
SHA512 f66841effc9fd989917da01c458b229f0f4ba4edbeaa832fa6b24218b07e4684bb45da656d7ce718fa18240096113d0dbea3f2a6df1bd4d09a9d48f6c5a5c3f8

memory/2072-129-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1840-130-0x0000000070B70000-0x0000000070BBC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7c5db887e99d14244e2d8616c6229523
SHA1 5b4c40ce8699f97e244fd3e8b7c13d1872308b92
SHA256 e982cfff440829fddcea5a149f67fe0c519cedd1d80be97002e5c9dff0681743
SHA512 fa33743263ffe875009e912895c91716f04b4346f8e519135bd6935a4a8a5b11948f1c431a1afa2242dee6428ae90871d0bd1c52ee36a3240cf7fdaa61e15f99

memory/2072-147-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 960a454da80238128832976dcdb6dbe3
SHA1 256a561491c14e62fd8912b584833b2ddec72fad
SHA256 d7f255bf77b040b1337af0308bdec9ec49834802d9d5b076ef265db7e33bc03b
SHA512 6fd0bcb9ffc263e729d6d329f4d9717666d738bfbb6eb7a50056cc5b3c0aee61a31930160f2e6a3f28d43ac29b6e0fc6230b1aa8d737a7565cc8591f5037194a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4c67a5ebbb77c2556c3aa65a31fca075
SHA1 a96b291f8e7d0e73f89ec21ee05b9869cc7d8cca
SHA256 ce8d4769ccada7865d2faf4bf110517284452a2910b3372b9654aa1139f72d02
SHA512 e6f36fc602b1e54fee8000cacffca022977091c321a7be81cc313f5638d244c1a3533b628e015ab86b28254c6d18ec366e57f7c6d01821be0eb29435f6d31872

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a7f32c086e027ea9ee3eef9a00cc8b72
SHA1 9570d37819e1ed6d2ee794dae079020cc79430f1
SHA256 11451a3325b56fa339c96269b8e1fe06178fa7876aede9628fffc68dfd5ed8eb
SHA512 140e2063a1e4ef8b89b1d5386016a6a19d63b8e09640f2ab2518973f072f34a092cfe3e4ad5c0b2efbbadeca7cc0455b3f74de5bff25146c61beb51e33a3b14b

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/6056-246-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5764-253-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/6056-255-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4808-256-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/6056-257-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/6056-259-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4808-260-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/6056-261-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/6056-263-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/6056-265-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/6056-267-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/6056-269-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/6056-271-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/6056-273-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/6056-275-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/6056-277-0x0000000000400000-0x0000000001E06000-memory.dmp