Malware Analysis Report

2025-08-05 12:17

Sample ID 240419-2rv2vshf24
Target 5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86
SHA256 5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86

Threat Level: Known bad

The file 5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 22:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 22:49

Reported

2024-04-19 22:52

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\system32\cmd.exe
PID 3084 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3084 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1244 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\rss\csrss.exe
PID 1244 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\rss\csrss.exe
PID 1244 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\rss\csrss.exe
PID 1520 wrote to memory of 1708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 4884 N/A C:\Windows\rss\csrss.exe C:\Windows\windefender.exe
PID 1520 wrote to memory of 4884 N/A C:\Windows\rss\csrss.exe C:\Windows\windefender.exe
PID 1520 wrote to memory of 4884 N/A C:\Windows\rss\csrss.exe C:\Windows\windefender.exe
PID 1520 wrote to memory of 3512 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 3512 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 3512 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 3568 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1520 wrote to memory of 3568 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3588 wrote to memory of 4128 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 4128 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 4128 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4128 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4128 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe

"C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe

"C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2888 -ip 2888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 b7ca5198-12fa-4e0d-863b-ad44ad08d613.uuid.theupdatetime.org udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server12.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BE 172.253.120.127:19302 stun1.l.google.com udp
BG 185.82.216.108:443 server12.theupdatetime.org tcp
US 8.8.8.8:53 127.120.253.172.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.108:443 server12.theupdatetime.org tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 208.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BG 185.82.216.108:443 server12.theupdatetime.org tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
N/A 127.0.0.1:31465 tcp
BG 185.82.216.108:443 server12.theupdatetime.org tcp

Files

memory/2888-1-0x0000000003DC0000-0x00000000041BD000-memory.dmp

memory/2888-2-0x00000000041C0000-0x0000000004AAB000-memory.dmp

memory/2888-3-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/3444-4-0x00000000051D0000-0x0000000005206000-memory.dmp

memory/3444-8-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/3444-7-0x0000000005900000-0x0000000005F28000-memory.dmp

memory/3444-6-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/3444-9-0x00000000057D0000-0x00000000057F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdvnrppk.kcz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3444-13-0x0000000006160000-0x00000000061C6000-memory.dmp

memory/3444-21-0x00000000062D0000-0x0000000006624000-memory.dmp

memory/3444-10-0x0000000005880000-0x00000000058E6000-memory.dmp

memory/3444-5-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/3444-22-0x0000000006790000-0x00000000067AE000-memory.dmp

memory/3444-23-0x0000000006850000-0x000000000689C000-memory.dmp

memory/3444-24-0x0000000006D10000-0x0000000006D54000-memory.dmp

memory/3444-25-0x00000000078C0000-0x0000000007936000-memory.dmp

memory/3444-27-0x0000000007B60000-0x0000000007B7A000-memory.dmp

memory/3444-26-0x00000000081C0000-0x000000000883A000-memory.dmp

memory/3444-28-0x000000007F160000-0x000000007F170000-memory.dmp

memory/3444-42-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/3444-43-0x0000000007D80000-0x0000000007E23000-memory.dmp

memory/3444-44-0x0000000007E70000-0x0000000007E7A000-memory.dmp

memory/3444-41-0x0000000007D60000-0x0000000007D7E000-memory.dmp

memory/3444-31-0x0000000070E80000-0x00000000711D4000-memory.dmp

memory/3444-45-0x0000000007F30000-0x0000000007FC6000-memory.dmp

memory/3444-46-0x0000000007E90000-0x0000000007EA1000-memory.dmp

memory/3444-30-0x0000000070D00000-0x0000000070D4C000-memory.dmp

memory/3444-29-0x0000000007D20000-0x0000000007D52000-memory.dmp

memory/3444-47-0x0000000007ED0000-0x0000000007EDE000-memory.dmp

memory/3444-48-0x0000000007EE0000-0x0000000007EF4000-memory.dmp

memory/3444-50-0x0000000007F20000-0x0000000007F28000-memory.dmp

memory/3444-49-0x0000000007FD0000-0x0000000007FEA000-memory.dmp

memory/3444-53-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1244-55-0x0000000003A50000-0x0000000003E4F000-memory.dmp

memory/2888-56-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1244-57-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2888-58-0x00000000041C0000-0x0000000004AAB000-memory.dmp

memory/856-61-0x0000000002940000-0x0000000002950000-memory.dmp

memory/856-60-0x0000000002940000-0x0000000002950000-memory.dmp

memory/856-62-0x00000000058B0000-0x0000000005C04000-memory.dmp

memory/856-59-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/856-72-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

memory/856-75-0x00000000715A0000-0x00000000718F4000-memory.dmp

memory/856-86-0x0000000002940000-0x0000000002950000-memory.dmp

memory/856-85-0x0000000006F50000-0x0000000006FF3000-memory.dmp

memory/856-87-0x0000000002940000-0x0000000002950000-memory.dmp

memory/856-74-0x0000000070E00000-0x0000000070E4C000-memory.dmp

memory/856-73-0x000000007FD50000-0x000000007FD60000-memory.dmp

memory/856-88-0x0000000007470000-0x0000000007481000-memory.dmp

memory/856-89-0x00000000074C0000-0x00000000074D4000-memory.dmp

memory/856-92-0x0000000074E60000-0x0000000075610000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4364-96-0x0000000002E80000-0x0000000002E90000-memory.dmp

memory/4364-95-0x0000000002E80000-0x0000000002E90000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 35dae21087f53f1b3e385bf68651e7bd
SHA1 a2e34f70ac76ca2d80553284b95a8536ebf1ecc7
SHA256 dcefa56b157aacd33d6ad5faf32c671c6e702ccb18032e69c96d7384609a7163
SHA512 16e9532c3118cea84ee38bf8a55e97d54caa38bfe5e05d726e06d448bd72438b8efa75d2f4e46e58ea62c493e4358710d96e8fd574928b73d68d30f838195845

memory/4364-94-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/4364-109-0x00000000715A0000-0x00000000718F4000-memory.dmp

memory/4364-120-0x0000000002E80000-0x0000000002E90000-memory.dmp

memory/1244-119-0x0000000003A50000-0x0000000003E4F000-memory.dmp

memory/4364-108-0x0000000070E00000-0x0000000070E4C000-memory.dmp

memory/4364-107-0x000000007FDD0000-0x000000007FDE0000-memory.dmp

memory/4364-122-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1972-123-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1972-125-0x0000000000B10000-0x0000000000B20000-memory.dmp

memory/1972-124-0x0000000000B10000-0x0000000000B20000-memory.dmp

memory/1972-135-0x00000000054E0000-0x0000000005834000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 52d5771f6df94406f74a72c5e9acbb5e
SHA1 f2333ef8494b011009990ac461f2068f067e1e92
SHA256 587848813c2a0a6174f7e5f0c4fcfafffedb140dd9205e7ac18f635154d60e7e
SHA512 7d1b32ea3dea8fc9b95d3f19867693b60f04980cd5159162944716716b831810b048a72e3aa3c860139586c7325f50a0ed7d1b461ef0f0170316d96a367659a3

memory/1972-137-0x0000000070E00000-0x0000000070E4C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 592f08c552febfa8516b737bb0db08de
SHA1 cd06fbc58a4834240a355dfc215f3c1a35fc9875
SHA256 5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86
SHA512 61ffe72c24441fc19d0549bdec857ceaffda276e78f319cc6b3452a5f688615ffd91a5fc4ba7accec9da38369f05be082437a6f1150326196cd8af5f26a70109

memory/1244-158-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c3d6bb9a3e92b30b8a76a5c719c7e26f
SHA1 9fa2ea3a7845fdb0dbdb67c3e8defaf59aca0dda
SHA256 a98d7b91c64368530388da0d76192de5d91c822aaa30d674bdd3b3a974283c6e
SHA512 fd4f8530f0106c2da4100a86e1745af4ab479a08bdae04e31241deb89a70241fdf36d3d053c30d267160f198508eb80a1455e74ddfcde7263cd7836cf96365fb

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 370723b9003dc4fd186fee1c88279056
SHA1 0df6d9c5fae50ecd0369fdd9959e9d1fe02a8831
SHA256 a85544f0765db52fb2ec4304451c5a1ac3ad15a5c779db216883f2b86eb4d31e
SHA512 dd3e54de07bac29a162f3c2ba757093cf1a224160d65b1019a53c015e4fa5ccbb2affd8aadcf659a0534e414d6048cc1a0f9c4079d29f73b22b8d93f2f81ba7c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fb7220cbecc41e358472a7cc17bd5766
SHA1 0bc8efbb5c72adce1144e9145252c6b12442ce02
SHA256 3c5c8a1c54dbbd997f586c51a5db9f27607f2361c59c785f1954b0e8d7984508
SHA512 afb6abe6ee14648d75c90026b32027aaef2354a888bf9d361b7aec9cdb5f8d5ed0ce66b249d4bdabc39181b4e4a167e007bb08b082c0210a7ad39391cf4ba665

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1520-258-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1520-259-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3588-267-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1520-268-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4884-269-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1520-270-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1520-272-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4884-273-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1520-274-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1520-276-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1520-278-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4884-279-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1520-280-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1520-282-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1520-284-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1520-286-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1520-288-0x0000000000400000-0x0000000001E06000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 22:49

Reported

2024-04-19 22:52

Platform

win11-20240412-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\system32\cmd.exe
PID 4816 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1556 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4816 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\rss\csrss.exe
PID 4816 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\rss\csrss.exe
PID 4816 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe C:\Windows\rss\csrss.exe
PID 1552 wrote to memory of 3312 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 3312 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 3312 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 4068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 4068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 4068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 2176 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 2176 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 2176 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 2696 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1552 wrote to memory of 2696 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3852 wrote to memory of 2676 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3852 wrote to memory of 2676 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3852 wrote to memory of 2676 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2676 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2676 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe

"C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe

"C:\Users\Admin\AppData\Local\Temp\5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1700 -ip 1700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4816 -ip 4816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ed2a3116-0b7e-4271-b8ac-a03f20146818.uuid.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server12.theupdatetime.org udp
BG 185.82.216.108:443 server12.theupdatetime.org tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 172.67.221.71:443 carsalessystem.com tcp
BE 172.253.120.127:19302 stun1.l.google.com udp
N/A 127.0.0.1:3478 udp
BG 185.82.216.108:443 server12.theupdatetime.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/1700-1-0x0000000003C60000-0x0000000004059000-memory.dmp

memory/1700-2-0x0000000004060000-0x000000000494B000-memory.dmp

memory/1700-3-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1844-4-0x0000000004600000-0x0000000004636000-memory.dmp

memory/1844-5-0x0000000074C40000-0x00000000753F1000-memory.dmp

memory/1844-6-0x00000000045F0000-0x0000000004600000-memory.dmp

memory/1844-7-0x00000000045F0000-0x0000000004600000-memory.dmp

memory/1844-8-0x0000000004C70000-0x000000000529A000-memory.dmp

memory/1844-9-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

memory/1844-10-0x00000000053A0000-0x0000000005406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2rgwyka0.41d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1844-11-0x0000000005410000-0x0000000005476000-memory.dmp

memory/1844-20-0x0000000005650000-0x00000000059A7000-memory.dmp

memory/1844-21-0x0000000005A50000-0x0000000005A6E000-memory.dmp

memory/1844-22-0x0000000005B10000-0x0000000005B5C000-memory.dmp

memory/1844-23-0x0000000006090000-0x00000000060D6000-memory.dmp

memory/1844-24-0x000000007FAF0000-0x000000007FB00000-memory.dmp

memory/1844-26-0x0000000070EB0000-0x0000000070EFC000-memory.dmp

memory/1844-25-0x0000000006E90000-0x0000000006EC4000-memory.dmp

memory/1844-27-0x0000000071030000-0x0000000071387000-memory.dmp

memory/1844-28-0x00000000045F0000-0x0000000004600000-memory.dmp

memory/1844-37-0x0000000006ED0000-0x0000000006EEE000-memory.dmp

memory/1844-38-0x0000000006EF0000-0x0000000006F94000-memory.dmp

memory/1844-39-0x0000000007650000-0x0000000007CCA000-memory.dmp

memory/1844-40-0x0000000007010000-0x000000000702A000-memory.dmp

memory/1844-41-0x0000000007050000-0x000000000705A000-memory.dmp

memory/1844-42-0x0000000007160000-0x00000000071F6000-memory.dmp

memory/1844-43-0x0000000007070000-0x0000000007081000-memory.dmp

memory/1844-44-0x00000000070C0000-0x00000000070CE000-memory.dmp

memory/1844-45-0x00000000070D0000-0x00000000070E5000-memory.dmp

memory/1844-46-0x0000000007120000-0x000000000713A000-memory.dmp

memory/1844-47-0x0000000007140000-0x0000000007148000-memory.dmp

memory/1844-50-0x0000000074C40000-0x00000000753F1000-memory.dmp

memory/4816-52-0x0000000003CD0000-0x00000000040D1000-memory.dmp

memory/4816-54-0x00000000040E0000-0x00000000049CB000-memory.dmp

memory/1700-53-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1700-55-0x0000000003C60000-0x0000000004059000-memory.dmp

memory/4816-56-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/4712-58-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/4712-60-0x0000000005A60000-0x0000000005DB7000-memory.dmp

memory/4712-59-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/4712-57-0x0000000074CE0000-0x0000000075491000-memory.dmp

memory/4712-69-0x0000000005F80000-0x0000000005FCC000-memory.dmp

memory/4712-70-0x000000007EF90000-0x000000007EFA0000-memory.dmp

memory/4712-72-0x0000000071210000-0x0000000071567000-memory.dmp

memory/4712-81-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/4712-82-0x0000000007190000-0x0000000007234000-memory.dmp

memory/4712-71-0x0000000070FC0000-0x000000007100C000-memory.dmp

memory/4712-83-0x00000000074E0000-0x00000000074F1000-memory.dmp

memory/4712-84-0x0000000007530000-0x0000000007545000-memory.dmp

memory/4712-87-0x0000000074CE0000-0x0000000075491000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/1364-90-0x0000000005430000-0x0000000005440000-memory.dmp

memory/1364-89-0x0000000074CE0000-0x0000000075491000-memory.dmp

memory/1364-101-0x0000000006360000-0x00000000066B7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c5ab1a7d1497a2995c0f03116277fc22
SHA1 a2bc65d046bdb0e2ea2ff4f35911c769a11dcf2f
SHA256 42a69d8993c02a7cc55cbf23998f39e012c8c2302b699f6d407646a1ce098090
SHA512 9144328280335f3885a6e907ac5a4b46e92e24694d58dc44968ae5b4f28f3737e2ef423dc99726da1d48a30f16fd858432c9164afbc35b8582409bb3cebc2154

memory/1364-99-0x0000000005430000-0x0000000005440000-memory.dmp

memory/1364-103-0x0000000070FC0000-0x000000007100C000-memory.dmp

memory/1364-114-0x0000000005430000-0x0000000005440000-memory.dmp

memory/1364-105-0x0000000071140000-0x0000000071497000-memory.dmp

memory/1364-104-0x000000007FA00000-0x000000007FA10000-memory.dmp

memory/4816-102-0x0000000003CD0000-0x00000000040D1000-memory.dmp

memory/1364-116-0x0000000074CE0000-0x0000000075491000-memory.dmp

memory/2652-117-0x0000000074CE0000-0x0000000075491000-memory.dmp

memory/2652-118-0x0000000003230000-0x0000000003240000-memory.dmp

memory/4816-128-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3c10a073b59afdbb722ba580ad4c0489
SHA1 49401ec4ddc176799b8839e442948445042067f7
SHA256 1ef2d4a87d801fc1667835156565faeed124086054c46c2f3cd1a35ad2f5b3ad
SHA512 1f60341cfbf9412b137774e760ab8b160d7f370ca9a2a141706a98d5ef5b2ad7c3b13fc048a5c6675e660c90a5338f321022ceffa260295a6c4a3f9787540f59

memory/2652-130-0x0000000070FC0000-0x000000007100C000-memory.dmp

memory/2652-129-0x000000007F260000-0x000000007F270000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 592f08c552febfa8516b737bb0db08de
SHA1 cd06fbc58a4834240a355dfc215f3c1a35fc9875
SHA256 5c4cbe34b106246972fe8abc7ca4c24c426210c4d45e988cb90df2a89b732a86
SHA512 61ffe72c24441fc19d0549bdec857ceaffda276e78f319cc6b3452a5f688615ffd91a5fc4ba7accec9da38369f05be082437a6f1150326196cd8af5f26a70109

memory/4816-148-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 45e16ccad8141655c9c8360a7b5b5750
SHA1 1f7d91cb162e7439c6cad870beb6f49c8a9c5a86
SHA256 aff63b98092ad0815058ae93bcf1e53aa0287933d1846108e57d0cc247ada3e7
SHA512 317ca1538a50b9166042bbbaa5b923054b53ed7a89cb70932d81deaa49c97532ed1a737f08d8561a32772f9554a54ab8635f7f8110eb64119a8500f8f0c38ea0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2c2284ee25a2b11026c41b0f8bff2a3b
SHA1 b19e7bf2f2be3466a308566db7a43342a38f3177
SHA256 ed1eedc3284b0c0bcf517c1865cd4ad949ec33e123cb2b85e1d77cf268dcb200
SHA512 dbdb00b2c275bef851414176506b029a5382988bd328e07dc9ff1f4601a9541d6dbe85b97fcdc2c8dbb8b5f105ba1a2e911e44c25e99a2af9825368f5d2cc96b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5dabf3b7b16c4030747a170d1752f771
SHA1 16663101b15323d9914c84c311aa6cb3839de8ca
SHA256 1c628c070fdd5f153b74ee23225ec7fa84ddd5b7d7292328548378be0449d403
SHA512 b5d3e3d6fa8a180511baafde01ee904265ff009b73714c70eaa8b361f7e5d9d1bda170fc6ceec5c9ecc6b78b660715e2d318b75198d2b6ef2a22c30edae23e0b

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1552-246-0x0000000000400000-0x0000000001E06000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3852-254-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1552-255-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2372-256-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1552-257-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1552-259-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/2372-260-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1552-261-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1552-263-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1552-265-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1552-267-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1552-269-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1552-271-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1552-273-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1552-275-0x0000000000400000-0x0000000001E06000-memory.dmp

memory/1552-277-0x0000000000400000-0x0000000001E06000-memory.dmp