Malware Analysis Report

2025-08-06 03:33

Sample ID 240419-rdbqysfb4y
Target 105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e
SHA256 105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e

Threat Level: Known bad

The file 105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 14:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 14:04

Reported

2024-04-19 14:06

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\system32\cmd.exe
PID 1048 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\system32\cmd.exe
PID 432 wrote to memory of 4296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 432 wrote to memory of 4296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1048 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\rss\csrss.exe
PID 1048 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\rss\csrss.exe
PID 1048 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\rss\csrss.exe
PID 5008 wrote to memory of 2984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 2984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 2984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 5032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 5032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 5032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 3824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 3824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 3824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 1284 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5008 wrote to memory of 1284 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2960 wrote to memory of 1956 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 1956 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 1956 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1956 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1956 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe

"C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe

"C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 42f9cbba-1072-4aea-8e5d-2376f9607352.uuid.alldatadump.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server8.alldatadump.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BE 172.253.120.127:19302 stun1.l.google.com udp
BG 185.82.216.108:443 server8.alldatadump.org tcp
US 8.8.8.8:53 127.120.253.172.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
BG 185.82.216.108:443 server8.alldatadump.org tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BG 185.82.216.108:443 server8.alldatadump.org tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:31465 tcp

Files

memory/1988-1-0x0000000003B60000-0x0000000003F5F000-memory.dmp

memory/1988-2-0x0000000003F60000-0x000000000484B000-memory.dmp

memory/1988-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4776-4-0x0000000002720000-0x0000000002756000-memory.dmp

memory/4776-5-0x0000000074380000-0x0000000074B30000-memory.dmp

memory/4776-6-0x0000000002780000-0x0000000002790000-memory.dmp

memory/4776-7-0x0000000002780000-0x0000000002790000-memory.dmp

memory/4776-8-0x0000000004E20000-0x0000000005448000-memory.dmp

memory/4776-9-0x0000000004C30000-0x0000000004C52000-memory.dmp

memory/4776-10-0x0000000005550000-0x00000000055B6000-memory.dmp

memory/4776-11-0x00000000055C0000-0x0000000005626000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wren0rty.u2s.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4776-21-0x00000000056B0000-0x0000000005A04000-memory.dmp

memory/4776-22-0x0000000005D10000-0x0000000005D2E000-memory.dmp

memory/4776-23-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

memory/4776-24-0x0000000006280000-0x00000000062C4000-memory.dmp

memory/4776-25-0x0000000006E30000-0x0000000006EA6000-memory.dmp

memory/4776-27-0x0000000006ED0000-0x0000000006EEA000-memory.dmp

memory/4776-26-0x0000000007530000-0x0000000007BAA000-memory.dmp

memory/4776-28-0x000000007FAD0000-0x000000007FAE0000-memory.dmp

memory/4776-29-0x0000000007290000-0x00000000072C2000-memory.dmp

memory/4776-31-0x00000000707D0000-0x0000000070B24000-memory.dmp

memory/4776-41-0x00000000072D0000-0x00000000072EE000-memory.dmp

memory/4776-42-0x0000000002780000-0x0000000002790000-memory.dmp

memory/4776-30-0x0000000070220000-0x000000007026C000-memory.dmp

memory/4776-43-0x00000000072F0000-0x0000000007393000-memory.dmp

memory/4776-44-0x00000000073E0000-0x00000000073EA000-memory.dmp

memory/4776-45-0x0000000007BB0000-0x0000000007C46000-memory.dmp

memory/4776-46-0x0000000007400000-0x0000000007411000-memory.dmp

memory/4776-47-0x0000000007440000-0x000000000744E000-memory.dmp

memory/4776-48-0x0000000007450000-0x0000000007464000-memory.dmp

memory/4776-50-0x0000000007480000-0x0000000007488000-memory.dmp

memory/4776-49-0x0000000007490000-0x00000000074AA000-memory.dmp

memory/4776-53-0x0000000074380000-0x0000000074B30000-memory.dmp

memory/1048-55-0x0000000003A60000-0x0000000003E66000-memory.dmp

memory/1048-56-0x0000000003E70000-0x000000000475B000-memory.dmp

memory/1988-57-0x0000000003B60000-0x0000000003F5F000-memory.dmp

memory/1048-58-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1988-59-0x0000000003F60000-0x000000000484B000-memory.dmp

memory/2844-69-0x0000000006080000-0x00000000063D4000-memory.dmp

memory/2844-70-0x0000000074380000-0x0000000074B30000-memory.dmp

memory/2844-72-0x0000000003180000-0x0000000003190000-memory.dmp

memory/2844-71-0x0000000003180000-0x0000000003190000-memory.dmp

memory/2844-73-0x0000000070220000-0x000000007026C000-memory.dmp

memory/2844-74-0x00000000709A0000-0x0000000070CF4000-memory.dmp

memory/2844-85-0x00000000078D0000-0x0000000007973000-memory.dmp

memory/2844-86-0x000000007F3E0000-0x000000007F3F0000-memory.dmp

memory/1988-75-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2844-88-0x0000000003180000-0x0000000003190000-memory.dmp

memory/2844-87-0x0000000003180000-0x0000000003190000-memory.dmp

memory/2844-89-0x0000000007BE0000-0x0000000007BF1000-memory.dmp

memory/2844-90-0x0000000007C30000-0x0000000007C44000-memory.dmp

memory/2844-93-0x0000000074380000-0x0000000074B30000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4884-95-0x0000000074380000-0x0000000074B30000-memory.dmp

memory/4884-96-0x0000000004C90000-0x0000000004CA0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 201b0eb2b5e445c78d372e0aab37640e
SHA1 c836d4fb8f31ee046d848a861951db114de9a1c8
SHA256 eaaf2db904abfa7886f62d3d48a93d66b5149808b6acd2443acc342c2ec1bc19
SHA512 2021458ced34620e35edac42e5af33c32d70460edab6efd1888e5641e1ea7af280aa6ff3301a6447a3e645722b75df6d6026bbf3406e2071ac5ebd81b314f4a8

memory/4884-108-0x00000000709A0000-0x0000000070CF4000-memory.dmp

memory/1048-118-0x0000000003A60000-0x0000000003E66000-memory.dmp

memory/4884-119-0x0000000004C90000-0x0000000004CA0000-memory.dmp

memory/4884-107-0x0000000070220000-0x000000007026C000-memory.dmp

memory/4884-121-0x0000000074380000-0x0000000074B30000-memory.dmp

memory/2692-122-0x0000000074380000-0x0000000074B30000-memory.dmp

memory/2692-123-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/2692-124-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 36fecd4b960faac289216fbe7b580de9
SHA1 f3ba24e88097f68ffc32991b1a405394656c0728
SHA256 03cb51c72e939fe18688bceadce0f089bca94843b217795354a82e80f3a668ac
SHA512 788e904e6f241431c0b03be6e0b1368765042139aa4201adb8070a8544c5f4f186bf4f08aba12015772dfcd5a5968e26c11df13d27a23639bee77152226b1569

memory/2692-136-0x0000000070220000-0x000000007026C000-memory.dmp

memory/2692-135-0x000000007F450000-0x000000007F460000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a3516189919a22ec9eaba6ad8dc5effa
SHA1 3b7df3717b83a4385dadc7a8c15ba87e6a48b916
SHA256 105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e
SHA512 b7cdd8d806bc150a1d321aaba192f8d02bb13f30cfccf093f0e76b78cd93f1c2cc767bb67c89516920a0ac23c6d92c4699381bfedf93f2c33fab245d30dbc9bc

memory/1048-153-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 406f349d0a5699d51015737bf1caeeb0
SHA1 12fc61985320681123ed5e10e39af22dfaac47b7
SHA256 ead1e018796c56b40479cce1421c5e1fff424871d7e40df94ec460113f9933cd
SHA512 2c768ff6fe05b388a82adab448a452abaa727a92853454c2113d57de1dd5e6c4060c4da91bd53f01a418b83e40363f32a99445ab337965a05875cdf491281a69

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 630f861195baa4cb77579258bad2f13e
SHA1 5f8a4afbdc3f970c83dab3800a7f701a85f31501
SHA256 98db8a4b049e7a4a0f6dfe9134cfb103deac734e65c6b3333921e4eda563dddf
SHA512 71a86b124deabce6d9d418cf7baae848714caf0b8fe9dcc998ca5a87bd3074ceed4c8ca14ec6ecf7bbd505708ffed65c4f515f81cc970d7061abddfbbaf0c7bc

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7b6604776f3906a3298ce5798208bade
SHA1 83c41c95a26e0bb7641f3b333b4d3fc8b1efbc43
SHA256 6158cf6ac287783499627496a3fcdd7aa6a891cb20efc090592e8cb30d11ffc5
SHA512 b3fc3e25488a1dae7a19475909d980423f9f2d21333960e85d20db192a2c872b38196fa85a25cfa77de02bab5bd661d276be5bbd9be17a331ba33883547062c3

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/5008-251-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2960-259-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5008-261-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3252-262-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5008-264-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5008-267-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3252-268-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5008-270-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5008-273-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5008-276-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5008-279-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5008-282-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5008-284-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5008-288-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5008-291-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5008-294-0x0000000000400000-0x0000000001DFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 14:04

Reported

2024-04-19 14:06

Platform

win11-20240412-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\system32\cmd.exe
PID 3556 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2868 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3556 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\rss\csrss.exe
PID 3556 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\rss\csrss.exe
PID 3556 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe C:\Windows\rss\csrss.exe
PID 676 wrote to memory of 5060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 5060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 5060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 1888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 1888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 1888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 3400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 3400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 3400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 4376 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 676 wrote to memory of 4376 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1980 wrote to memory of 3160 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 3160 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 3160 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3160 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3160 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3160 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe

"C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe

"C:\Users\Admin\AppData\Local\Temp\105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8e54d973-b755-4a18-8489-9c3e006a0e74.uuid.alldatadump.org udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server14.alldatadump.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.108:443 server14.alldatadump.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.108:443 server14.alldatadump.org tcp
US 52.111.227.13:443 tcp
BG 185.82.216.108:443 server14.alldatadump.org tcp
BG 185.82.216.108:443 server14.alldatadump.org tcp

Files

memory/2772-1-0x0000000003C50000-0x0000000004051000-memory.dmp

memory/2772-2-0x0000000004060000-0x000000000494B000-memory.dmp

memory/2772-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3364-4-0x0000000002F10000-0x0000000002F46000-memory.dmp

memory/3364-5-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/3364-6-0x0000000005AB0000-0x00000000060DA000-memory.dmp

memory/3364-7-0x0000000005470000-0x0000000005480000-memory.dmp

memory/3364-8-0x0000000005930000-0x0000000005952000-memory.dmp

memory/3364-9-0x00000000059D0000-0x0000000005A36000-memory.dmp

memory/3364-10-0x00000000060E0000-0x0000000006146000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o5ka0vwu.lrk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3364-19-0x0000000006210000-0x0000000006567000-memory.dmp

memory/3364-20-0x00000000066F0000-0x000000000670E000-memory.dmp

memory/3364-21-0x0000000006730000-0x000000000677C000-memory.dmp

memory/3364-22-0x0000000007870000-0x00000000078B6000-memory.dmp

memory/3364-23-0x000000007F950000-0x000000007F960000-memory.dmp

memory/3364-24-0x0000000007B20000-0x0000000007B54000-memory.dmp

memory/3364-25-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/3364-26-0x0000000070FF0000-0x0000000071347000-memory.dmp

memory/3364-35-0x0000000007B60000-0x0000000007B7E000-memory.dmp

memory/3364-36-0x0000000007B80000-0x0000000007C24000-memory.dmp

memory/3364-37-0x00000000082F0000-0x000000000896A000-memory.dmp

memory/3364-38-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

memory/3364-39-0x0000000007CE0000-0x0000000007CEA000-memory.dmp

memory/3364-40-0x0000000007DF0000-0x0000000007E86000-memory.dmp

memory/3364-41-0x0000000007D10000-0x0000000007D21000-memory.dmp

memory/3364-42-0x0000000007D50000-0x0000000007D5E000-memory.dmp

memory/3364-43-0x0000000007D60000-0x0000000007D75000-memory.dmp

memory/3364-44-0x0000000007DB0000-0x0000000007DCA000-memory.dmp

memory/3364-45-0x0000000007DD0000-0x0000000007DD8000-memory.dmp

memory/3364-48-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/2772-50-0x0000000003C50000-0x0000000004051000-memory.dmp

memory/3556-51-0x0000000003B80000-0x0000000003F84000-memory.dmp

memory/3556-52-0x0000000003F90000-0x000000000487B000-memory.dmp

memory/3556-53-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2436-54-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/2436-55-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/2436-64-0x0000000005A90000-0x0000000005DE7000-memory.dmp

memory/2436-66-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/2436-67-0x0000000070FA0000-0x00000000712F7000-memory.dmp

memory/2772-65-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2436-77-0x000000007FCB0000-0x000000007FCC0000-memory.dmp

memory/2436-76-0x00000000071F0000-0x0000000007294000-memory.dmp

memory/2436-78-0x0000000007540000-0x0000000007551000-memory.dmp

memory/2436-79-0x0000000007590000-0x00000000075A5000-memory.dmp

memory/2436-82-0x0000000074BB0000-0x0000000075361000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3160-84-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/3160-85-0x00000000047C0000-0x00000000047D0000-memory.dmp

memory/3160-86-0x00000000047C0000-0x00000000047D0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 81f33909543319c19e60ba01867faead
SHA1 5387df55588227f5b4d6c8a7b3fdee10cc95ab56
SHA256 dc179242c876c8bf6bace9b82465a9ea0a41687b8e1efdeebfb22bf58d7a9e28
SHA512 28d804ed4b61ea241cb144dfdbc10768a83349ae6623d6581d9a33e2a51c549ea8aeb2a44f900d745d05889403c7f4296e1d94dc62d74dc295f8c290a7c3eea8

memory/3160-96-0x000000007F090000-0x000000007F0A0000-memory.dmp

memory/3160-97-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/3160-98-0x0000000070FF0000-0x0000000071347000-memory.dmp

memory/3160-107-0x00000000047C0000-0x00000000047D0000-memory.dmp

memory/3160-109-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/3024-110-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/3024-111-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/3556-112-0x0000000003B80000-0x0000000003F84000-memory.dmp

memory/3024-113-0x0000000005C60000-0x0000000005FB7000-memory.dmp

memory/3556-122-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e5947c3d02112c34a3701c329142e777
SHA1 7738cc3737aa51c0395abf69e07f6e19a9162855
SHA256 7c0350b8324b3dbf772d7878039a6790424b6f46e13727d454be8ebf60d9654c
SHA512 eb4c61fdb7b44c00ef7afbf1532c566abbd0294bbdedc265bc2790bbcf99bf989f9ebf4712a898880c84772bdd4a017dc925ed7a5988f92dadad22c22c3a8d30

memory/3024-125-0x000000007F230000-0x000000007F240000-memory.dmp

memory/3024-126-0x0000000071070000-0x00000000713C7000-memory.dmp

memory/3024-124-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/3024-135-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/3024-137-0x0000000074BB0000-0x0000000075361000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a3516189919a22ec9eaba6ad8dc5effa
SHA1 3b7df3717b83a4385dadc7a8c15ba87e6a48b916
SHA256 105561403c846ad777a4e5eed1afc8c05222e9ae36f86a6559b6cf43bcd7159e
SHA512 b7cdd8d806bc150a1d321aaba192f8d02bb13f30cfccf093f0e76b78cd93f1c2cc767bb67c89516920a0ac23c6d92c4699381bfedf93f2c33fab245d30dbc9bc

memory/3556-143-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/676-144-0x0000000003D00000-0x0000000004100000-memory.dmp

memory/676-145-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d23c6c693b9bff477dfd5f7be7d67466
SHA1 c34d1c53b2afde6be2948399ad4b284f307505b1
SHA256 1b7746260c5918e6220058a4da9747c6095cb68ed4b992f1641c33c30e460015
SHA512 9e086d840edaa5666236c19fb09d379e5bc320633167e194cb11333dd496596743d9d4c0be977a2f0c764906ca80a1cab29fc88670df3c3cbafa03da72b80212

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9c91c7f72a845cc467f6095a171ea97d
SHA1 3ced6aa2e484a22f656ee85962b419c2fe9560a3
SHA256 372fdf4a35bb234c7d4d5da7c1a0999ff2cb223b8e7563db8b3127c62d4f703a
SHA512 faaa4a95604a0ce7810b7e713c6240cae2538ac89f9d2538f60f6dd3355bb47d90ec029aeb2e946df96e966fdd9d6a5226790beaabf91aa9d69982f8ac8654d3

memory/676-207-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a1605d13889fa2668673744d843a65c0
SHA1 c115121e42ff54bd4e1ee3afd4d42b09694b74fa
SHA256 dd29c7c49a24d2ccebe4f48bab0a890a3df72b6c6eb1da11a9394961bc0f765b
SHA512 b99accbbd05781e5a317e6762d38d2a9ddf6d56a585d2388dce34d4afe2df77ebd6f67c35f5a87d63fa11e6d50454783d9908b0f5eef4e449e5e7d0e8bf4c4a6

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/676-240-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1980-247-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/676-251-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3476-252-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/676-255-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/676-259-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3476-260-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/676-262-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/676-266-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/676-271-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/676-275-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/676-279-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/676-283-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/676-286-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/676-290-0x0000000000400000-0x0000000001DFD000-memory.dmp