Malware Analysis Report

2025-08-06 03:32

Sample ID 240419-rgn6fsec93
Target 02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605
SHA256 02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605

Threat Level: Known bad

The file 02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Program crash

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 14:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 14:10

Reported

2024-04-19 14:12

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\system32\cmd.exe
PID 2956 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2956 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1192 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\rss\csrss.exe
PID 1192 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\rss\csrss.exe
PID 1192 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\rss\csrss.exe
PID 852 wrote to memory of 1440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 1440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 1440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 4392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 4392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 4392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 4956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 4956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 4956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 1848 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 852 wrote to memory of 1848 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4808 wrote to memory of 3360 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 3360 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 3360 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3360 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3360 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3360 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe

"C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5012 -ip 5012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 2512

C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe

"C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 34afc466-5b09-4351-8705-a6a7cc4026ec.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server2.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 127.210.217.172.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp

Files

memory/2180-1-0x0000000003A70000-0x0000000003E69000-memory.dmp

memory/2180-2-0x0000000003E70000-0x000000000475B000-memory.dmp

memory/2180-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5012-4-0x0000000002A40000-0x0000000002A76000-memory.dmp

memory/5012-5-0x00000000744D0000-0x0000000074C80000-memory.dmp

memory/5012-6-0x0000000005340000-0x0000000005968000-memory.dmp

memory/5012-7-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

memory/5012-8-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

memory/5012-9-0x0000000005170000-0x0000000005192000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xstvcksa.jaw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5012-10-0x0000000005970000-0x00000000059D6000-memory.dmp

memory/5012-16-0x0000000005A50000-0x0000000005AB6000-memory.dmp

memory/5012-21-0x0000000005BC0000-0x0000000005F14000-memory.dmp

memory/5012-22-0x0000000006060000-0x000000000607E000-memory.dmp

memory/5012-23-0x0000000006080000-0x00000000060CC000-memory.dmp

memory/5012-24-0x0000000006580000-0x00000000065C4000-memory.dmp

memory/5012-25-0x0000000007370000-0x00000000073E6000-memory.dmp

memory/5012-26-0x0000000007A70000-0x00000000080EA000-memory.dmp

memory/5012-27-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/5012-28-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

memory/5012-29-0x00000000075B0000-0x00000000075E2000-memory.dmp

memory/5012-30-0x0000000070370000-0x00000000703BC000-memory.dmp

memory/5012-31-0x00000000704F0000-0x0000000070844000-memory.dmp

memory/5012-41-0x00000000075F0000-0x000000000760E000-memory.dmp

memory/5012-42-0x0000000007610000-0x00000000076B3000-memory.dmp

memory/5012-43-0x0000000007700000-0x000000000770A000-memory.dmp

memory/5012-44-0x00000000744D0000-0x0000000074C80000-memory.dmp

memory/2180-45-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1192-47-0x0000000003930000-0x0000000003D31000-memory.dmp

memory/1192-49-0x0000000003E40000-0x000000000472B000-memory.dmp

memory/2180-48-0x0000000003E70000-0x000000000475B000-memory.dmp

memory/1192-50-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3608-51-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/3608-52-0x0000000002560000-0x0000000002570000-memory.dmp

memory/3608-53-0x0000000002560000-0x0000000002570000-memory.dmp

memory/3608-63-0x0000000005600000-0x0000000005954000-memory.dmp

memory/3608-64-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

memory/3608-65-0x000000007F340000-0x000000007F350000-memory.dmp

memory/3608-66-0x0000000070470000-0x00000000704BC000-memory.dmp

memory/3608-67-0x0000000070610000-0x0000000070964000-memory.dmp

memory/3608-78-0x0000000006C70000-0x0000000006D13000-memory.dmp

memory/3608-77-0x0000000002560000-0x0000000002570000-memory.dmp

memory/3608-79-0x0000000002560000-0x0000000002570000-memory.dmp

memory/3608-80-0x0000000007060000-0x00000000070F6000-memory.dmp

memory/3608-81-0x0000000006F80000-0x0000000006F91000-memory.dmp

memory/3608-82-0x0000000006FC0000-0x0000000006FCE000-memory.dmp

memory/3608-83-0x0000000006FD0000-0x0000000006FE4000-memory.dmp

memory/3608-84-0x0000000007010000-0x000000000702A000-memory.dmp

memory/3608-85-0x0000000007000000-0x0000000007008000-memory.dmp

memory/3608-88-0x0000000074570000-0x0000000074D20000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/808-90-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/808-91-0x00000000052F0000-0x0000000005300000-memory.dmp

memory/808-92-0x00000000052F0000-0x0000000005300000-memory.dmp

memory/1192-93-0x0000000003930000-0x0000000003D31000-memory.dmp

memory/808-103-0x0000000006480000-0x00000000067D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ded5449fa58f0519870a2223305bfc96
SHA1 2db02e1e03e203fc4c5d299038a5e0c2cc564a1d
SHA256 db16eab4bd65c1de374a85b77bf74f0bd5434cbda1c59d6779587ea3dd89567d
SHA512 c81f58fed2ca0f4371eab82317d9ec27fc3a68759e4768ba02edb9c3e5892dc1a581a3ccace5b48614c7b38029cdf17fe2be1ca37ccc90c6bb63fea4df5b38ea

memory/808-106-0x0000000070470000-0x00000000704BC000-memory.dmp

memory/808-105-0x000000007F950000-0x000000007F960000-memory.dmp

memory/808-107-0x00000000705F0000-0x0000000070944000-memory.dmp

memory/808-117-0x00000000052F0000-0x0000000005300000-memory.dmp

memory/808-119-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/4296-120-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/4296-121-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/1192-131-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d6178cfd9f9b120ee9fadf4bb9990689
SHA1 70efae9c8ad827b0089786fe6e6cc1636e4c3cea
SHA256 89ca55b9b13b791025fa501c92832e782f5d85d7bf1e6eccfca60ba2e1cd8b1c
SHA512 bcab50b153436d6df685ceec485ae9fb9e66daf9b0afb1399dd6b2f93afbb8d1fe3775d31da2bb173015b93c0fbca2564698f80d4440b6e6f100c9810dce3968

memory/4296-133-0x0000000070470000-0x00000000704BC000-memory.dmp

memory/4296-134-0x00000000705F0000-0x0000000070944000-memory.dmp

memory/4296-144-0x0000000004A90000-0x0000000004AA0000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ddfbe9d3ae995263ffffc5db587027de
SHA1 04c58b00b758312816ac2447a431dceb1b89bf4f
SHA256 02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605
SHA512 5b3cc952c550b972fb9774d1c08b1cc1d919f40f11c900b5a82c569bd3b33f191266f162fdc348a6bb1339e7d57a53634e5b3a4bbadd35f8910439ff7e553865

memory/1192-153-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cb3188d1b453795e7d7188cbaa3561be
SHA1 36c2810bad1d0f31c2698c3d00d12bfed9ae0db7
SHA256 f11dbc40924fd2d3950976f14653f4923751057895cbf1397babb596d08de49a
SHA512 82dbce82a73c5163655470a5a50965f47ad1f03754da38905290ac92d88fb09cbf617471a3ddd280b1e009e2c003a8943a62982148c58d64c8f6d25c52ef75c4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0d014155ab8d58dc2f24b4ec7b8521b5
SHA1 a03b06f6c404572bf8f690c33d922497067c6439
SHA256 8d0f2fc90b990b55a144f345e5800bc9522db345a73756ad78571e57580de1b6
SHA512 d6d137e2af0569b2d8770517d45f1cfa17bac1c6d87e37c99c5c0d995b66f46f8443a6e738ba486fb08676ecbfbe77412bdfe9e77d963473f9e6b6b522a35635

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5673cb980913567f50e8caf2318483e6
SHA1 2c55a6492c5aea0c4b03ab622187c2d2e885cc29
SHA256 f318091d4a80acfc82105cdd9370b25355fb240d7f6c8d4001209fa7a1f845be
SHA512 727884afa9484f67933f1abb0b9f942db50269be62257d8f44beaea3c43462cc11ba45014c85f3036392f1f95a20d712c1813a823de3b5b7df1ff017bed078bc

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/852-258-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4808-265-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/852-267-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3568-268-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/852-270-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/852-273-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3568-274-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/852-276-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/852-279-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/852-282-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/852-285-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/852-288-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/852-291-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/852-294-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/852-297-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/852-300-0x0000000000400000-0x0000000001DFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 14:10

Reported

2024-04-19 14:12

Platform

win11-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3480 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3480 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\system32\cmd.exe
PID 5100 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2012 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5100 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\rss\csrss.exe
PID 5100 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\rss\csrss.exe
PID 5100 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe C:\Windows\rss\csrss.exe
PID 1228 wrote to memory of 3144 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1228 wrote to memory of 3144 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1228 wrote to memory of 3144 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1228 wrote to memory of 1700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1228 wrote to memory of 1700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1228 wrote to memory of 1700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1228 wrote to memory of 3400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1228 wrote to memory of 3400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1228 wrote to memory of 3400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1228 wrote to memory of 4740 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1228 wrote to memory of 4740 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2012 wrote to memory of 1484 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 1484 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 1484 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1484 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1484 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe

"C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe

"C:\Users\Admin\AppData\Local\Temp\02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0f52502f-7d81-4d39-894a-86c153f69eb7.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 server5.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
NL 74.125.128.127:19302 stun2.l.google.com udp
BG 185.82.216.96:443 server5.thestatsfiles.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server5.thestatsfiles.ru tcp
BG 185.82.216.96:443 server5.thestatsfiles.ru tcp
BG 185.82.216.96:443 server5.thestatsfiles.ru tcp

Files

memory/3480-1-0x0000000003C50000-0x000000000404B000-memory.dmp

memory/3480-2-0x0000000004050000-0x000000000493B000-memory.dmp

memory/3480-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1688-5-0x00000000746B0000-0x0000000074E61000-memory.dmp

memory/1688-4-0x0000000004DD0000-0x0000000004E06000-memory.dmp

memory/1688-6-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/1688-8-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/1688-7-0x0000000005440000-0x0000000005A6A000-memory.dmp

memory/1688-9-0x0000000005370000-0x0000000005392000-memory.dmp

memory/1688-10-0x0000000005A70000-0x0000000005AD6000-memory.dmp

memory/1688-11-0x0000000005AE0000-0x0000000005B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kb11svpn.ksi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1688-20-0x0000000005D10000-0x0000000006067000-memory.dmp

memory/1688-21-0x0000000006240000-0x000000000625E000-memory.dmp

memory/1688-22-0x0000000006280000-0x00000000062CC000-memory.dmp

memory/1688-23-0x00000000067A0000-0x00000000067E6000-memory.dmp

memory/1688-24-0x000000007FAD0000-0x000000007FAE0000-memory.dmp

memory/1688-26-0x0000000070920000-0x000000007096C000-memory.dmp

memory/1688-25-0x0000000007670000-0x00000000076A4000-memory.dmp

memory/1688-27-0x0000000070AA0000-0x0000000070DF7000-memory.dmp

memory/1688-36-0x00000000076B0000-0x00000000076CE000-memory.dmp

memory/1688-37-0x00000000076D0000-0x0000000007774000-memory.dmp

memory/1688-38-0x0000000007E40000-0x00000000084BA000-memory.dmp

memory/1688-39-0x0000000007800000-0x000000000781A000-memory.dmp

memory/1688-40-0x0000000007840000-0x000000000784A000-memory.dmp

memory/1688-41-0x0000000007950000-0x00000000079E6000-memory.dmp

memory/1688-42-0x0000000007860000-0x0000000007871000-memory.dmp

memory/1688-43-0x00000000078B0000-0x00000000078BE000-memory.dmp

memory/1688-44-0x00000000078C0000-0x00000000078D5000-memory.dmp

memory/1688-45-0x0000000007910000-0x000000000792A000-memory.dmp

memory/1688-46-0x0000000007930000-0x0000000007938000-memory.dmp

memory/1688-49-0x00000000746B0000-0x0000000074E61000-memory.dmp

memory/5100-51-0x0000000003B10000-0x0000000003F0C000-memory.dmp

memory/5100-52-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3480-53-0x0000000003C50000-0x000000000404B000-memory.dmp

memory/5100-54-0x0000000003F10000-0x00000000047FB000-memory.dmp

memory/3152-55-0x00000000746B0000-0x0000000074E61000-memory.dmp

memory/3152-57-0x00000000063F0000-0x0000000006747000-memory.dmp

memory/3152-56-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3152-58-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3152-67-0x000000007FC70000-0x000000007FC80000-memory.dmp

memory/3152-69-0x0000000070B70000-0x0000000070EC7000-memory.dmp

memory/3152-68-0x0000000070920000-0x000000007096C000-memory.dmp

memory/3152-78-0x0000000007B00000-0x0000000007BA4000-memory.dmp

memory/3480-79-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3152-80-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/3152-81-0x0000000007E50000-0x0000000007E61000-memory.dmp

memory/3152-82-0x0000000007EA0000-0x0000000007EB5000-memory.dmp

memory/3152-85-0x00000000746B0000-0x0000000074E61000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4048-88-0x00000000746B0000-0x0000000074E61000-memory.dmp

memory/4048-90-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/4048-89-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e82c81e94fc6c7c5112ad6cbd91e08ab
SHA1 84c8107ce3c471fe5f2561f851a013050dca6a94
SHA256 90afb2f28a512a68752f3f4025313a93562ac96f06ba99d20b7a15d933e0b66a
SHA512 6a5ff0de3d90ae624dcac50bf106dc2b45c8365bd2bfc813f1263992cb6024eccd6e547d74312bf64923f68ca8037179a02d7e0b8d153191429809fb405f9373

memory/4048-100-0x000000007F7A0000-0x000000007F7B0000-memory.dmp

memory/4048-101-0x0000000070920000-0x000000007096C000-memory.dmp

memory/4048-102-0x0000000070B70000-0x0000000070EC7000-memory.dmp

memory/5100-111-0x0000000003B10000-0x0000000003F0C000-memory.dmp

memory/4048-112-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/4048-114-0x00000000746B0000-0x0000000074E61000-memory.dmp

memory/4356-115-0x00000000746B0000-0x0000000074E61000-memory.dmp

memory/5100-116-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 241851a11d33ab5cedbcda13adcb69a9
SHA1 47c78aa2396b98f13add02fe10d16555ecc31095
SHA256 dcf84da5bfab98fd31c2a77dd62380bdc6dfffea70511e73b9fac4ae306c4cad
SHA512 8b0a583d10ea1162bd248aff053b4dccae780368ff69ad858715e9d53c928997be19bd726039605e4f3e5c9202299183df56f8b5d2f9b31722faf3e25f8a4145

memory/4356-126-0x0000000070920000-0x000000007096C000-memory.dmp

memory/4356-127-0x0000000070B70000-0x0000000070EC7000-memory.dmp

memory/4356-135-0x0000000005220000-0x0000000005230000-memory.dmp

memory/4356-138-0x00000000746B0000-0x0000000074E61000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ddfbe9d3ae995263ffffc5db587027de
SHA1 04c58b00b758312816ac2447a431dceb1b89bf4f
SHA256 02c83cc25125b11264c1b0e28694a0914e0b6ed7eaf36a8f550e7a81c0ab0605
SHA512 5b3cc952c550b972fb9774d1c08b1cc1d919f40f11c900b5a82c569bd3b33f191266f162fdc348a6bb1339e7d57a53634e5b3a4bbadd35f8910439ff7e553865

memory/5100-141-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1228-145-0x0000000003D00000-0x0000000004100000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4dc27d8efc81d6d40ff8a0a51a249ed0
SHA1 311a65b2e58b7b0841288e629d999f4544923ad1
SHA256 a1dac891565a612d05651715270d4f4344c744720d020657e0e49a211964c6b4
SHA512 93f9904d06acec2cc17cc74f1ee684384cea73892ca6685517f34d32461a4329a546e522e2d0ffa8cc9b66113bbc6f03e4a6f0bfc50d100708bd22cd0f399ad9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8f673386a88114d53d788bc57125f687
SHA1 97dffad39d822864fb3865ddaf8cdfa0e110fd38
SHA256 258ae57699c8c3a6e8953b159e26aa08b4417b4e9a9ba7d45a6e07c91d98ddca
SHA512 fb4caa8ec012431ef045828987e21052f5a455500d7f3ddf7872150caf120c38aa62b0cd0870e7dc521a7e51a4a3f1bcc53b59386ef7da31a2c06595bdc424d7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1112156e66d7675a269061dbcce33fb3
SHA1 85e8d6ece267452723ac4f42e7be24c4045cc4de
SHA256 831dbe84d87ef95905afe92c3937b051e5aee52ec294fdfb7d9e70b4f79d91cd
SHA512 db2c38985b9e3ab7823991a27b21aaaca12cd523a626922db62d3cd3e71b79e8286d0b4d22adfd290b0702cf747e53f2b5324875a290399593536fcbe56ea96a

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1228-237-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2012-246-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1228-247-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1232-249-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1228-250-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1228-253-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1232-255-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1228-256-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1228-259-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1228-262-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1232-264-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1228-265-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1228-268-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1228-271-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1228-274-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1228-277-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1228-280-0x0000000000400000-0x0000000001DFD000-memory.dmp