Malware Analysis Report

2025-08-06 03:33

Sample ID 240419-re8gbaec62
Target 5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c
SHA256 5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c

Threat Level: Known bad

The file 5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 14:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 14:07

Reported

2024-04-19 14:10

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1888 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1888 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\system32\cmd.exe
PID 864 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\system32\cmd.exe
PID 2192 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2192 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 864 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\rss\csrss.exe
PID 864 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\rss\csrss.exe
PID 864 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\rss\csrss.exe
PID 1044 wrote to memory of 2796 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 2796 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 2796 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 848 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 848 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 848 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 3920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 3920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 3920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 3496 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1044 wrote to memory of 3496 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 224 wrote to memory of 2840 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 2840 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 2840 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2840 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2840 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe

"C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe

"C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 8e040482-79e8-4700-b45e-e3d9ca8dc5e5.uuid.localstats.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server6.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.111:443 server6.localstats.org tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 127.210.217.172.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 185.82.216.111:443 server6.localstats.org tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
BG 185.82.216.111:443 server6.localstats.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.111:443 server6.localstats.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/1888-1-0x0000000003A00000-0x0000000003E08000-memory.dmp

memory/1888-2-0x0000000003E10000-0x00000000046FB000-memory.dmp

memory/1888-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3708-4-0x0000000004E40000-0x0000000004E76000-memory.dmp

memory/3708-5-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/3708-8-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/3708-7-0x0000000005610000-0x0000000005C38000-memory.dmp

memory/3708-6-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/3708-9-0x0000000005530000-0x0000000005552000-memory.dmp

memory/3708-10-0x0000000005C40000-0x0000000005CA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z1zpnkms.ugb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3708-11-0x0000000005DA0000-0x0000000005E06000-memory.dmp

memory/3708-21-0x0000000005F10000-0x0000000006264000-memory.dmp

memory/3708-22-0x0000000006400000-0x000000000641E000-memory.dmp

memory/3708-23-0x0000000006430000-0x000000000647C000-memory.dmp

memory/3708-24-0x0000000006970000-0x00000000069B4000-memory.dmp

memory/3708-25-0x0000000007510000-0x0000000007586000-memory.dmp

memory/3708-27-0x00000000077B0000-0x00000000077CA000-memory.dmp

memory/3708-26-0x0000000007E10000-0x000000000848A000-memory.dmp

memory/3708-28-0x000000007EF50000-0x000000007EF60000-memory.dmp

memory/3708-29-0x0000000007970000-0x00000000079A2000-memory.dmp

memory/3708-41-0x00000000079B0000-0x00000000079CE000-memory.dmp

memory/3708-31-0x0000000070D90000-0x00000000710E4000-memory.dmp

memory/3708-42-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/3708-43-0x00000000079D0000-0x0000000007A73000-memory.dmp

memory/3708-30-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/3708-44-0x0000000007AC0000-0x0000000007ACA000-memory.dmp

memory/3708-45-0x0000000007B80000-0x0000000007C16000-memory.dmp

memory/3708-46-0x0000000007AE0000-0x0000000007AF1000-memory.dmp

memory/3708-47-0x0000000007B20000-0x0000000007B2E000-memory.dmp

memory/3708-49-0x0000000007C20000-0x0000000007C3A000-memory.dmp

memory/3708-50-0x0000000007B70000-0x0000000007B78000-memory.dmp

memory/3708-48-0x0000000007B30000-0x0000000007B44000-memory.dmp

memory/3708-53-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/864-55-0x0000000003A40000-0x0000000003E45000-memory.dmp

memory/1888-56-0x0000000003A00000-0x0000000003E08000-memory.dmp

memory/864-57-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1472-59-0x0000000005620000-0x0000000005630000-memory.dmp

memory/1472-58-0x0000000005620000-0x0000000005630000-memory.dmp

memory/1888-70-0x0000000003E10000-0x00000000046FB000-memory.dmp

memory/1472-71-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/1472-69-0x0000000006310000-0x0000000006664000-memory.dmp

memory/1472-72-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/1472-73-0x0000000070DD0000-0x0000000071124000-memory.dmp

memory/1472-83-0x0000000007B50000-0x0000000007BF3000-memory.dmp

memory/1888-84-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1472-86-0x0000000005620000-0x0000000005630000-memory.dmp

memory/1472-85-0x0000000005620000-0x0000000005630000-memory.dmp

memory/1472-87-0x0000000007E60000-0x0000000007E71000-memory.dmp

memory/1472-88-0x0000000007EB0000-0x0000000007EC4000-memory.dmp

memory/1472-91-0x0000000074D70000-0x0000000075520000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/3956-95-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

memory/3956-101-0x0000000005E20000-0x0000000006174000-memory.dmp

memory/3956-94-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

memory/3956-93-0x0000000074D70000-0x0000000075520000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8cd54a9f3a63933ab0d1a0ad300fa37f
SHA1 b05eb5102401c2b954ec727452a7cc453a2a1ffe
SHA256 57b65c8ba7452c308c7a444bf009281b919be18ccebf546283a76c64a588fa19
SHA512 8a55255019448cca464221dc68aa4e198a8b40b9cf26ac431a38941f72f5e0e5b3f6e897290a2c1c02f99392025e0e281d288a94804b5147499db29dd9a60901

memory/3956-108-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/3956-107-0x000000007F380000-0x000000007F390000-memory.dmp

memory/3956-109-0x0000000071390000-0x00000000716E4000-memory.dmp

memory/864-119-0x0000000003A40000-0x0000000003E45000-memory.dmp

memory/3956-120-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

memory/3956-122-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/372-123-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/372-129-0x0000000004740000-0x0000000004750000-memory.dmp

memory/372-131-0x0000000005610000-0x0000000005964000-memory.dmp

memory/372-130-0x0000000004740000-0x0000000004750000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f7631c5ed819925b691413953fa42a8c
SHA1 cfbe811fa92755c9c59d5729a55ad1c779705465
SHA256 e4c7a87c5d9d719fe9397fbd65289139a8000ded53738e421b857bdd00d7b8d5
SHA512 307a3f6a7b8a486600f40e479ecf7c62c4901cec14db59f213a4c88de5f3fcb33c702e72e744ceab70d611b8e797dd0889744570eb4386e7c8f80eb115ad7997

C:\Windows\rss\csrss.exe

MD5 2512b08a1bc97d813797fc59f756a374
SHA1 9973655d71eec6b09b3cee646dc8f2afbe541251
SHA256 5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c
SHA512 a84d3930c1feca2c50aa448d2f06e38f660a940413f479a314402a5002ccb59bb87c03c36839fb6398eebf8b3ec7ddf30e386ea13e5f57009ee61ddbd8821131

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4f424216226df0d069a66ea89848ce97
SHA1 19346120c0e39f2dcb7b972c979e40175c23fcb7
SHA256 d1f7da0c3209fe9d2b3b3fb28a0cf51c6e1281157d251ffacce8082c6f5af559
SHA512 f6c31e239177505c840d732375bcc6d1182d9915deb1245f1f0a95358ac9eb77d913a84edebb994af53e9df9644df2b40d36963542391a473fc886fd7892186b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9b8dd98116ded711db2da284a71b449f
SHA1 50788ee7cbd54dd9bfd4ff820c6785959c67f29f
SHA256 697a6c250f88ad7e23b5d7fc57675e46f0cc002b834d662de7fd71cbd3959cd7
SHA512 f5d2f8dc22bfd8cab844c0961faec4a1ed7cd9032c62c83f7819173043fb782ccd6eea072aa38870542d3138c4d286e3953932dec98a8d638dfb69cb5364bf73

memory/864-221-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7f337af066a34494253c74c07c1ae8b8
SHA1 14be6d20be960c208cfb03c7b54bfd20d7940565
SHA256 2484a3fbfb3dcbd1ecc845bd447bae779d7a6966fdfad1169b83932142006050
SHA512 8924b1810f1525fc0f29a551e1979ce95ab66fe9b66825401e4f98daf6ac6200c270e86e926f4febae08e86694995d3ceadd7b8c2be06982a7fe24b03ed9b236

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1044-256-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/224-264-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1044-267-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2724-269-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1044-271-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1044-275-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2724-277-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1044-279-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1044-283-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1044-287-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1044-291-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1044-295-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1044-299-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1044-303-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1044-307-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1044-311-0x0000000000400000-0x0000000001DFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 14:07

Reported

2024-04-19 14:10

Platform

win11-20240412-en

Max time kernel

149s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3568 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3568 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3568 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\system32\cmd.exe
PID 2248 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2292 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2248 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\rss\csrss.exe
PID 2248 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\rss\csrss.exe
PID 2248 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe C:\Windows\rss\csrss.exe
PID 540 wrote to memory of 2908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 5032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 5032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 5032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4820 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 540 wrote to memory of 4820 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4352 wrote to memory of 4124 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 4124 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 4124 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4124 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe

"C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe

"C:\Users\Admin\AppData\Local\Temp\5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 6590bab6-a717-4036-82b1-c804d2b482dc.uuid.localstats.org udp
US 8.8.8.8:53 server4.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.111:443 server4.localstats.org tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
BE 172.253.120.127:19302 stun1.l.google.com udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.111:443 server4.localstats.org tcp
BG 185.82.216.111:443 server4.localstats.org tcp

Files

memory/3568-1-0x0000000003C40000-0x000000000403A000-memory.dmp

memory/3568-2-0x0000000004040000-0x000000000492B000-memory.dmp

memory/3568-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2216-4-0x0000000002DD0000-0x0000000002E06000-memory.dmp

memory/2216-5-0x0000000074250000-0x0000000074A01000-memory.dmp

memory/2216-6-0x0000000002E70000-0x0000000002E80000-memory.dmp

memory/2216-7-0x0000000005510000-0x0000000005B3A000-memory.dmp

memory/2216-8-0x00000000053F0000-0x0000000005412000-memory.dmp

memory/2216-9-0x0000000005490000-0x00000000054F6000-memory.dmp

memory/2216-10-0x0000000005C40000-0x0000000005CA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ht0cfovx.0u1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2216-16-0x0000000005D80000-0x00000000060D7000-memory.dmp

memory/2216-20-0x00000000062B0000-0x00000000062CE000-memory.dmp

memory/2216-21-0x0000000006340000-0x000000000638C000-memory.dmp

memory/2216-22-0x0000000007450000-0x0000000007496000-memory.dmp

memory/2216-23-0x000000007F2F0000-0x000000007F300000-memory.dmp

memory/2216-24-0x00000000076D0000-0x0000000007704000-memory.dmp

memory/2216-25-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/2216-26-0x00000000706B0000-0x0000000070A07000-memory.dmp

memory/2216-35-0x0000000007710000-0x000000000772E000-memory.dmp

memory/2216-36-0x0000000002E70000-0x0000000002E80000-memory.dmp

memory/2216-37-0x0000000007730000-0x00000000077D4000-memory.dmp

memory/2216-38-0x0000000007EA0000-0x000000000851A000-memory.dmp

memory/2216-39-0x0000000007860000-0x000000000787A000-memory.dmp

memory/2216-40-0x00000000078A0000-0x00000000078AA000-memory.dmp

memory/2216-41-0x0000000007960000-0x00000000079F6000-memory.dmp

memory/2216-42-0x00000000078D0000-0x00000000078E1000-memory.dmp

memory/2216-43-0x0000000007910000-0x000000000791E000-memory.dmp

memory/2216-44-0x0000000007920000-0x0000000007935000-memory.dmp

memory/2216-45-0x0000000007A20000-0x0000000007A3A000-memory.dmp

memory/2216-46-0x0000000007A00000-0x0000000007A08000-memory.dmp

memory/2216-49-0x0000000074250000-0x0000000074A01000-memory.dmp

memory/3568-51-0x0000000003C40000-0x000000000403A000-memory.dmp

memory/2248-52-0x0000000003B50000-0x0000000003F54000-memory.dmp

memory/2248-53-0x0000000003F60000-0x000000000484B000-memory.dmp

memory/2248-54-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4696-55-0x0000000074250000-0x0000000074A01000-memory.dmp

memory/4696-56-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/4696-65-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/4696-66-0x0000000006240000-0x0000000006597000-memory.dmp

memory/4696-68-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/3568-67-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4696-69-0x0000000070640000-0x0000000070997000-memory.dmp

memory/4696-78-0x00000000078E0000-0x0000000007984000-memory.dmp

memory/4696-80-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/4696-79-0x000000007FBB0000-0x000000007FBC0000-memory.dmp

memory/4696-81-0x0000000007C20000-0x0000000007C31000-memory.dmp

memory/4696-82-0x0000000007C70000-0x0000000007C85000-memory.dmp

memory/4696-85-0x0000000074250000-0x0000000074A01000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2456-88-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/2456-89-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/2456-87-0x0000000074250000-0x0000000074A01000-memory.dmp

memory/2456-98-0x0000000005F50000-0x00000000062A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a16ab384990b1177c8bf059f4f0f0b92
SHA1 d146b43c42ef4b9c2cad31db096c6e403031649e
SHA256 425e5ec2798af6374c80072fe35e3f53346f08d35ba5f601315a4b653043b3f7
SHA512 49dda85714c143aca14ab267a2f4fafd0f111698c0c30cafaffc0a21c94e56362e957fdc8396e34b360ed13064bf3dde5f2e1911b97c6b29e1a012a8984c8fb7

memory/2456-100-0x000000007F250000-0x000000007F260000-memory.dmp

memory/2456-101-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/2456-102-0x0000000070E00000-0x0000000071157000-memory.dmp

memory/2456-111-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/2456-113-0x0000000074250000-0x0000000074A01000-memory.dmp

memory/2072-114-0x0000000074250000-0x0000000074A01000-memory.dmp

memory/2072-115-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/2072-124-0x0000000005CB0000-0x0000000006007000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 50a80caff0dd46e603b88e2ed955c7fc
SHA1 8b004651f073b78cdf970ea59e3b6dd64185fbc2
SHA256 fa248df4cdb063c2c1377a23b3ae077354d3b8c1fa7078b0a0b433a0bc2e168e
SHA512 c439cffce21b4d50b3743304f511d857a1e54cae5a7b50b3d35a2ab18ff30b5645239d570d9e1d48f1a8bce500966716f32ca8033d171817b336f358fa068794

memory/2072-126-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/2248-127-0x0000000003B50000-0x0000000003F54000-memory.dmp

memory/2072-129-0x00000000706D0000-0x0000000070A27000-memory.dmp

memory/2072-128-0x000000007F2C0000-0x000000007F2D0000-memory.dmp

memory/2072-133-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 2512b08a1bc97d813797fc59f756a374
SHA1 9973655d71eec6b09b3cee646dc8f2afbe541251
SHA256 5c3f4241fbb64a371dc6ee56dc53a2bf9cf6c5715e7cae5f0218f9bc20ae6f6c
SHA512 a84d3930c1feca2c50aa448d2f06e38f660a940413f479a314402a5002ccb59bb87c03c36839fb6398eebf8b3ec7ddf30e386ea13e5f57009ee61ddbd8821131

memory/2248-145-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e3091b40aa5bdeec386fa2898327e87b
SHA1 c6ba47c69576055f0faf1b81c59069c8011c5045
SHA256 c96ae74aff624da13af6ac4bf76b997c28fa07f7bd96d4ff5c3fe53d2b7eeeef
SHA512 6a54eaa11c2e723cd23d9244a9c90bfbae3d5c45812bd9d95627201b8ae87850b7910476054573f166bb27d86d3fd6d7f8e576b97515840f24a9f3615d3df53a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f673ac9bae6369588ab4fb4bd1292944
SHA1 dc38b416dbd074acce8e78c7ff9744aea805662d
SHA256 06ead9aa7c73b79ba57c651262b765ce1e2614f5bb8851f4b81432a8e41cc2d6
SHA512 78c71e63c138b19b182db36719bcf2b1d2ccde607310122c141702ef149ecb94db1d63e1a73921addbd0808d7429bdcc0aa61f964cf416f55e5c6724555bf320

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b1015e903d4e6d16ae2dda5aa1badad7
SHA1 23bb940495a873dcce8346f960d2369cbd8e0f3a
SHA256 1f291e51c9fb37194145f95032e2791a9fa1767dd905ce50e2a879bbb8ee9eb3
SHA512 aa99dbf976da208fde591c24c8e36a9d4070ea7b8d532f7167560cc164705f322f9696eacb0331481c211fc21ed18f7182ebaf140f09f7945cf49e6ab6a7cf7a

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/540-238-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4352-248-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/540-250-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/540-252-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/660-253-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/540-254-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/540-257-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/660-258-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/540-260-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/540-263-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/540-268-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/540-270-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/540-273-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/540-275-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/540-278-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/540-281-0x0000000000400000-0x0000000001DFD000-memory.dmp