Malware Analysis Report

2025-08-06 03:33

Sample ID 240419-rdta1aec33
Target e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b
SHA256 e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b

Threat Level: Known bad

The file e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 14:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 14:05

Reported

2024-04-19 14:07

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 888 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 888 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 888 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\system32\cmd.exe
PID 3120 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 4336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3444 wrote to memory of 4336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3120 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\rss\csrss.exe
PID 3120 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\rss\csrss.exe
PID 3120 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\rss\csrss.exe
PID 2504 wrote to memory of 2520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 2520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 2520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 3088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 3088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 3088 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 4944 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2504 wrote to memory of 4944 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4892 wrote to memory of 3924 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 3924 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 3924 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3924 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3924 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3924 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe

"C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe

"C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0d262680-6040-4408-85b6-9483d03848c9.uuid.theupdatetime.org udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server9.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server9.theupdatetime.org tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
BG 185.82.216.108:443 server9.theupdatetime.org tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
BG 185.82.216.108:443 server9.theupdatetime.org tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.108:443 server9.theupdatetime.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/888-1-0x0000000003A60000-0x0000000003E68000-memory.dmp

memory/888-2-0x0000000003E70000-0x000000000475B000-memory.dmp

memory/888-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4048-4-0x00000000029E0000-0x0000000002A16000-memory.dmp

memory/4048-5-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/4048-6-0x0000000002A40000-0x0000000002A50000-memory.dmp

memory/4048-7-0x0000000002A40000-0x0000000002A50000-memory.dmp

memory/4048-8-0x0000000005100000-0x0000000005728000-memory.dmp

memory/4048-9-0x0000000004FE0000-0x0000000005002000-memory.dmp

memory/4048-11-0x00000000058A0000-0x0000000005906000-memory.dmp

memory/4048-10-0x0000000005080000-0x00000000050E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yv4pquj4.aqf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4048-21-0x0000000005990000-0x0000000005CE4000-memory.dmp

memory/4048-22-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

memory/4048-23-0x0000000006060000-0x00000000060AC000-memory.dmp

memory/4048-24-0x0000000006550000-0x0000000006594000-memory.dmp

memory/4048-25-0x00000000072F0000-0x0000000007366000-memory.dmp

memory/4048-26-0x00000000079F0000-0x000000000806A000-memory.dmp

memory/4048-27-0x0000000007390000-0x00000000073AA000-memory.dmp

memory/4048-28-0x000000007F5A0000-0x000000007F5B0000-memory.dmp

memory/4048-29-0x0000000007540000-0x0000000007572000-memory.dmp

memory/4048-30-0x0000000070B50000-0x0000000070B9C000-memory.dmp

memory/4048-31-0x00000000712B0000-0x0000000071604000-memory.dmp

memory/4048-42-0x0000000002A40000-0x0000000002A50000-memory.dmp

memory/4048-43-0x00000000075A0000-0x0000000007643000-memory.dmp

memory/4048-41-0x0000000007580000-0x000000000759E000-memory.dmp

memory/4048-44-0x0000000007690000-0x000000000769A000-memory.dmp

memory/4048-45-0x0000000007750000-0x00000000077E6000-memory.dmp

memory/4048-46-0x00000000076B0000-0x00000000076C1000-memory.dmp

memory/4048-47-0x00000000076F0000-0x00000000076FE000-memory.dmp

memory/4048-48-0x0000000007700000-0x0000000007714000-memory.dmp

memory/4048-49-0x00000000077F0000-0x000000000780A000-memory.dmp

memory/4048-50-0x0000000007730000-0x0000000007738000-memory.dmp

memory/4048-53-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/3120-55-0x0000000003A70000-0x0000000003E70000-memory.dmp

memory/888-56-0x0000000003A60000-0x0000000003E68000-memory.dmp

memory/3120-57-0x0000000003E70000-0x000000000475B000-memory.dmp

memory/3120-58-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2804-59-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

memory/2804-61-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

memory/2804-60-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/2804-71-0x0000000005CD0000-0x0000000006024000-memory.dmp

memory/2804-72-0x0000000070B50000-0x0000000070B9C000-memory.dmp

memory/2804-73-0x0000000070CD0000-0x0000000071024000-memory.dmp

memory/2804-85-0x0000000007300000-0x00000000073A3000-memory.dmp

memory/2804-84-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

memory/888-74-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2804-86-0x0000000007620000-0x0000000007631000-memory.dmp

memory/2804-87-0x0000000007670000-0x0000000007684000-memory.dmp

memory/2804-90-0x0000000074CB0000-0x0000000075460000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/216-92-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/216-94-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

memory/216-93-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

memory/216-96-0x00000000056B0000-0x0000000005A04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 72ed851fd5d3fd16d7a8b52351e0c76d
SHA1 c8b6f3b5e674d6854b552576cd105171ab948eb8
SHA256 d4065bf99e46338ff5ec369e644c91dcb66837f5ad507c1ddf2328398de0f6be
SHA512 c9d6102927366591efbca2292789eee22e31e02d98c439ace568e45d3c5a940f3d22241a76ba3ba37f2737d92858923544058e60302a1f2b7b8f04481e2e623c

memory/216-106-0x000000007F2C0000-0x000000007F2D0000-memory.dmp

memory/216-108-0x00000000712D0000-0x0000000071624000-memory.dmp

memory/216-107-0x0000000070B50000-0x0000000070B9C000-memory.dmp

memory/3120-118-0x0000000003A70000-0x0000000003E70000-memory.dmp

memory/216-119-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

memory/216-121-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/5028-123-0x00000000053B0000-0x00000000053C0000-memory.dmp

memory/5028-122-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/3120-133-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e865f5ef41abb1d80fbabcad85e778e4
SHA1 135fe5ce8fc6009b18e59375b15e0951220b637d
SHA256 24b1a954cf8929916948bc8f943fb3af223740558b4737f8eda22fe503276730
SHA512 319e6733bb53dafa7ac98ffc52e86ccec8c93a5a0ba213d3732844f08e2823b71327ea9f7c1556b64956ddf866233a48471804624f042ac1b0375869641eed62

memory/5028-136-0x0000000070B50000-0x0000000070B9C000-memory.dmp

memory/5028-135-0x000000007FDC0000-0x000000007FDD0000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b2128cefe6a9d6678b19d9f3ad12284f
SHA1 987e368da9ff647e8675936d20a4d1c4704839a8
SHA256 e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b
SHA512 3520921bb9a9054084f06799ae198ecbaf38a13fd0c476dbef8a292ce0043ede00c3cf2dc4e70c63a23368ffb50e42c45e3c283bd169391cc5e03c67890dea44

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f284b240eba68c8f43d274be69004791
SHA1 51935bc4b75a1a1522e248bc61380e6a95b42d1d
SHA256 d693183c6573176d6473b8c37aa736e4864f8eec5858dfdcebdb276f5d9b6bea
SHA512 faa2ded595f5795c4c5e48ea51651c8aca4f4f85d0312d1afe15803c4290a92ffa41573dd3f8beb57eaaf734176a444fe930d7bfb9bc422ef2fe16afd68c9c2b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cd90b34b90ff0edf16427e8202c2203f
SHA1 6a70d13fb7869e0b3354cf524fb55b13d8242d7b
SHA256 ff3791ab82629acf20e2ab00401c76cfe035d4a23ef9ec5083e76b6cd0514b9f
SHA512 e8f1d32a34bb401a0aace9445c3dd89baca8f5152eec73fc1749059b68c0f499c94433afc5f094661ba6955f3501c51595ee8c4ec28e5c16ecedf524327fc0cc

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 44e1575d5b17c0c30bdf1d2f1763bd85
SHA1 660643a11973443587ea1ffa38de8a8553f0eb94
SHA256 7ffec0bc53b791912ad1c95f8605b95c6e85318baff6584a885c00ccc95efade
SHA512 7131c7ecc991eb6ffdfc22ea30b5566ea21c231b78ac32693da98d003d752214ee018eb25e6cab68207d09cfafdaef6461a5c4961e222696bdbd1c97e5bd5438

memory/3120-232-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2504-255-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4892-263-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2504-265-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/216-267-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2504-269-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2504-273-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/216-275-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2504-277-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2504-281-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2504-285-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2504-289-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2504-293-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2504-297-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2504-301-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2504-305-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2504-309-0x0000000000400000-0x0000000001DFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 14:05

Reported

2024-04-19 14:07

Platform

win11-20240412-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4708 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4708 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\system32\cmd.exe
PID 5116 wrote to memory of 3852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5116 wrote to memory of 3852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2108 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\rss\csrss.exe
PID 2108 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\rss\csrss.exe
PID 2108 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe C:\Windows\rss\csrss.exe
PID 3112 wrote to memory of 4672 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 4672 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 4672 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 1860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 1860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 1860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 1136 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 1136 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 1136 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 1864 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3112 wrote to memory of 1864 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2440 wrote to memory of 3176 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 3176 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 3176 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3176 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3176 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe

"C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe

"C:\Users\Admin\AppData\Local\Temp\e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 4a5f5d36-e0bf-4350-b5e5-656e5c8e2517.uuid.theupdatetime.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.108:443 server13.theupdatetime.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server13.theupdatetime.org tcp
BG 185.82.216.108:443 server13.theupdatetime.org tcp
BG 185.82.216.108:443 server13.theupdatetime.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/4708-1-0x0000000003C40000-0x0000000004045000-memory.dmp

memory/4708-2-0x0000000004050000-0x000000000493B000-memory.dmp

memory/4708-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4264-4-0x0000000002A00000-0x0000000002A36000-memory.dmp

memory/4264-5-0x0000000074A50000-0x0000000075201000-memory.dmp

memory/4264-7-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/4264-6-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/4264-8-0x00000000050C0000-0x00000000056EA000-memory.dmp

memory/4264-9-0x0000000004FC0000-0x0000000004FE2000-memory.dmp

memory/4264-10-0x00000000056F0000-0x0000000005756000-memory.dmp

memory/4264-11-0x0000000005760000-0x00000000057C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3r20w21p.gzs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4264-20-0x0000000005920000-0x0000000005C77000-memory.dmp

memory/4264-21-0x0000000005E80000-0x0000000005E9E000-memory.dmp

memory/4264-22-0x0000000005ED0000-0x0000000005F1C000-memory.dmp

memory/4264-23-0x0000000007000000-0x0000000007046000-memory.dmp

memory/4264-24-0x00000000072B0000-0x00000000072E4000-memory.dmp

memory/4264-25-0x000000007F1F0000-0x000000007F200000-memory.dmp

memory/4264-27-0x0000000070E40000-0x0000000071197000-memory.dmp

memory/4264-26-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/4264-37-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/4264-36-0x00000000072F0000-0x000000000730E000-memory.dmp

memory/4264-38-0x0000000007310000-0x00000000073B4000-memory.dmp

memory/4264-39-0x0000000007A80000-0x00000000080FA000-memory.dmp

memory/4264-40-0x0000000007440000-0x000000000745A000-memory.dmp

memory/4264-41-0x0000000007480000-0x000000000748A000-memory.dmp

memory/4264-42-0x0000000007590000-0x0000000007626000-memory.dmp

memory/4264-43-0x00000000074A0000-0x00000000074B1000-memory.dmp

memory/4264-44-0x00000000074F0000-0x00000000074FE000-memory.dmp

memory/4264-45-0x0000000007500000-0x0000000007515000-memory.dmp

memory/4264-46-0x0000000007550000-0x000000000756A000-memory.dmp

memory/4264-47-0x0000000007570000-0x0000000007578000-memory.dmp

memory/4264-50-0x0000000074A50000-0x0000000075201000-memory.dmp

memory/2108-53-0x0000000003F10000-0x00000000047FB000-memory.dmp

memory/4708-54-0x0000000003C40000-0x0000000004045000-memory.dmp

memory/2108-52-0x0000000003B10000-0x0000000003F0A000-memory.dmp

memory/2108-55-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1616-56-0x0000000005440000-0x0000000005450000-memory.dmp

memory/1616-57-0x0000000005440000-0x0000000005450000-memory.dmp

memory/1616-59-0x0000000006340000-0x0000000006697000-memory.dmp

memory/4708-58-0x0000000004050000-0x000000000493B000-memory.dmp

memory/1616-60-0x0000000074A50000-0x0000000075201000-memory.dmp

memory/1616-71-0x0000000070F10000-0x0000000071267000-memory.dmp

memory/1616-70-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/1616-80-0x0000000007A70000-0x0000000007B14000-memory.dmp

memory/1616-69-0x000000007F360000-0x000000007F370000-memory.dmp

memory/4708-81-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1616-82-0x0000000007DB0000-0x0000000007DC1000-memory.dmp

memory/1616-83-0x0000000007E00000-0x0000000007E15000-memory.dmp

memory/1616-86-0x0000000074A50000-0x0000000075201000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4724-89-0x0000000002C00000-0x0000000002C10000-memory.dmp

memory/4724-88-0x0000000074A50000-0x0000000075201000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bc131387d93903cfd8fc9a649113e8db
SHA1 46b876400fba08fbe2e16c470183f7b3e31f062d
SHA256 da4b56dd6abee5cdb420b7b5f375ca0f443b925c892d54c26a5fd1e7dd63f98f
SHA512 781acdb355f6160e4921f0dbc20595152c8e07c97f70a956dcbd1a9a7044130fea869a2a2efbf9b1a5bf451331669940dd75b5a9a889fdae04a54ab934bcf43e

memory/4724-99-0x000000007F2C0000-0x000000007F2D0000-memory.dmp

memory/4724-110-0x0000000002C00000-0x0000000002C10000-memory.dmp

memory/4724-101-0x0000000070E40000-0x0000000071197000-memory.dmp

memory/4724-100-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/4724-112-0x0000000074A50000-0x0000000075201000-memory.dmp

memory/1792-113-0x0000000074A50000-0x0000000075201000-memory.dmp

memory/1792-115-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/1792-116-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/2108-114-0x0000000003B10000-0x0000000003F0A000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 99e628c22e5ef48936388a993545413a
SHA1 f1bf9355155299446612dc3ee597cb9486a2f12d
SHA256 ed6239a8dae9d8cef8607bf06705a6563f2133ac4bc966bd28c80b20b8855320
SHA512 5404a160925735d5c3a6313f8ec9117c7b89663e7cee2a6b14c5084dab62b3094c02f0303077cd7c88611fc05f947b4a696938a7d8949b9841aa28624df18641

memory/1792-126-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/1792-127-0x0000000070E40000-0x0000000071197000-memory.dmp

memory/2108-128-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1792-138-0x000000007FD60000-0x000000007FD70000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b2128cefe6a9d6678b19d9f3ad12284f
SHA1 987e368da9ff647e8675936d20a4d1c4704839a8
SHA256 e2693272500a1df616b321f7a98380c4453dc03110df28c7fadc6ed4a9458d7b
SHA512 3520921bb9a9054084f06799ae198ecbaf38a13fd0c476dbef8a292ce0043ede00c3cf2dc4e70c63a23368ffb50e42c45e3c283bd169391cc5e03c67890dea44

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f6cfc4e5bbaf6585930f25e00043cdec
SHA1 df5cd2da62717546d26da70aeee7096f7eef0846
SHA256 1dda7190d1099316dc59218a1ec1581ca63b2d1610af24c2d4bd4a7af8dad07c
SHA512 7704b8374d7fe891e6c62d23f73d67473b02dcf327160361f7e6002be0a741cacdf1d6233f4f8f964a243e8925cd2743e873740e84aebf3f9e1d8796edad5e9c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 52c6237feebe6a03f67d34b1ca681995
SHA1 0704d91e39720f9d7c7895602dfeac5a21df52b0
SHA256 f31f38b41efdf573c72aa999decee3f1e79d45b8f61f8aee893d92db17e69b3e
SHA512 fbd1e23385a236a60fbd3cf2ae9b26f10eff90249d022df948dc09569c1756417ff02e37a996313e1216d05309cd49d35d892be6d6877dfe160c778746d8e97a

memory/2108-188-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8fdba1510869d891d23ec6593b02157b
SHA1 b98c6310ed41f644ab47385a7b1afcef23b60aef
SHA256 72d99d8e6850f9cbc1f93c0497d754db0e97a7e0366daf0d2621c570334aeab4
SHA512 7a330c6978f8336a30ff4aa1c3728b711839c3effad1c1424ef10b0d0b2b7ec89d967079246f578b182861b2ba79f9d4e5f38fd660f81e20828659e22199e86a

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3112-242-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2440-250-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3112-252-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2664-254-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3112-256-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3112-260-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2664-262-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3112-264-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3112-268-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3112-272-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3112-276-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3112-280-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3112-284-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3112-288-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3112-292-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3112-296-0x0000000000400000-0x0000000001DFD000-memory.dmp