Malware Analysis Report

2025-08-06 03:33

Sample ID 240419-tfab1shd21
Target 885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b
SHA256 885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b

Threat Level: Known bad

The file 885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 15:59

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 15:59

Reported

2024-04-19 16:02

Platform

win11-20240412-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\system32\cmd.exe
PID 2284 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2900 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2284 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\rss\csrss.exe
PID 2284 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\rss\csrss.exe
PID 2284 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\rss\csrss.exe
PID 2816 wrote to memory of 564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 1480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 1480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 1480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 4908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 4908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 4908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 1460 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2816 wrote to memory of 1460 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1648 wrote to memory of 1204 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1204 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1204 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1204 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1204 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe

"C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe

"C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 41e3ff03-5756-448e-946f-603419ed5ea5.uuid.theupdatetime.org udp
US 8.8.8.8:53 server5.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BE 172.253.120.127:19302 stun1.l.google.com udp
BG 185.82.216.108:443 server5.theupdatetime.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.108:443 server5.theupdatetime.org tcp

Files

memory/1956-1-0x0000000003C50000-0x0000000004051000-memory.dmp

memory/1956-2-0x0000000004060000-0x000000000494B000-memory.dmp

memory/1956-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2928-5-0x0000000073F00000-0x00000000746B1000-memory.dmp

memory/2928-4-0x0000000002620000-0x0000000002656000-memory.dmp

memory/2928-6-0x0000000004830000-0x0000000004840000-memory.dmp

memory/2928-8-0x0000000004E70000-0x000000000549A000-memory.dmp

memory/2928-7-0x0000000004830000-0x0000000004840000-memory.dmp

memory/2928-9-0x0000000004C20000-0x0000000004C42000-memory.dmp

memory/2928-10-0x0000000005510000-0x0000000005576000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f0fafngt.bjf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2928-16-0x0000000005580000-0x00000000055E6000-memory.dmp

memory/2928-20-0x0000000005640000-0x0000000005997000-memory.dmp

memory/2928-21-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

memory/2928-22-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

memory/2928-23-0x0000000006BF0000-0x0000000006C36000-memory.dmp

memory/2928-24-0x000000007F370000-0x000000007F380000-memory.dmp

memory/2928-25-0x0000000006EE0000-0x0000000006F14000-memory.dmp

memory/2928-26-0x0000000070170000-0x00000000701BC000-memory.dmp

memory/2928-27-0x00000000702F0000-0x0000000070647000-memory.dmp

memory/2928-36-0x0000000006F20000-0x0000000006F3E000-memory.dmp

memory/2928-38-0x0000000006F40000-0x0000000006FE4000-memory.dmp

memory/2928-37-0x0000000004830000-0x0000000004840000-memory.dmp

memory/2928-39-0x00000000076B0000-0x0000000007D2A000-memory.dmp

memory/2928-40-0x0000000007070000-0x000000000708A000-memory.dmp

memory/2928-41-0x00000000070B0000-0x00000000070BA000-memory.dmp

memory/2928-42-0x00000000071C0000-0x0000000007256000-memory.dmp

memory/2928-43-0x00000000070D0000-0x00000000070E1000-memory.dmp

memory/2928-44-0x0000000007120000-0x000000000712E000-memory.dmp

memory/2928-45-0x0000000007130000-0x0000000007145000-memory.dmp

memory/2928-46-0x0000000007180000-0x000000000719A000-memory.dmp

memory/2928-47-0x00000000071A0000-0x00000000071A8000-memory.dmp

memory/2928-50-0x0000000073F00000-0x00000000746B1000-memory.dmp

memory/1956-51-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1956-53-0x0000000004060000-0x000000000494B000-memory.dmp

memory/2284-54-0x0000000003A90000-0x0000000003E8D000-memory.dmp

memory/2284-55-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2332-56-0x0000000005210000-0x0000000005220000-memory.dmp

memory/2332-57-0x0000000005210000-0x0000000005220000-memory.dmp

memory/2332-58-0x0000000073FA0000-0x0000000074751000-memory.dmp

memory/2332-67-0x00000000060F0000-0x0000000006447000-memory.dmp

memory/2332-68-0x0000000006B40000-0x0000000006B8C000-memory.dmp

memory/2332-69-0x000000007F550000-0x000000007F560000-memory.dmp

memory/2332-70-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/2332-71-0x0000000070420000-0x0000000070777000-memory.dmp

memory/2332-81-0x0000000005210000-0x0000000005220000-memory.dmp

memory/2332-82-0x0000000005210000-0x0000000005220000-memory.dmp

memory/2332-80-0x0000000007850000-0x00000000078F4000-memory.dmp

memory/2332-83-0x0000000007B80000-0x0000000007B91000-memory.dmp

memory/2332-84-0x0000000007BD0000-0x0000000007BE5000-memory.dmp

memory/2332-87-0x0000000073FA0000-0x0000000074751000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/5012-89-0x0000000073FA0000-0x0000000074751000-memory.dmp

memory/5012-90-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/5012-91-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 32174d1e0e85e881ff7537c39769227e
SHA1 a5d2db67480b8ed4b8e4954b8a6c8deb0ca5f9bf
SHA256 2b8d62ac234ad02d6580489bf9e1be16f13b093e60a2b4d8a063e6b8272dfc3f
SHA512 fb35c3f980d131fcc1ec338de0400ff2bc0833ba0517670f42bf1d780eae5081c8ec19d5dfac235923aa9a0f8a5238535813915bfe57ecfe2134e70eb7ee2dfd

memory/5012-101-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/5012-102-0x0000000070420000-0x0000000070777000-memory.dmp

memory/5012-111-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/5012-112-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/5012-114-0x0000000073FA0000-0x0000000074751000-memory.dmp

memory/3496-115-0x0000000073FA0000-0x0000000074751000-memory.dmp

memory/3496-124-0x0000000005E10000-0x0000000006167000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9353ad8b693a95090c081b79d00c9d5c
SHA1 19a2952ec3a3a35da7b003e58a4e0098bb6eaa1d
SHA256 824a09417cf0b43cb9a59cb916e8e6341b58a61f204f5b278dcc2d4aae5558e5
SHA512 662c98202955c45771251e0bb715c9685663f6a90fa111a781dfc6cc4df96259932435b78be14b3a00627ec38b2103ab41be5b91c75c3bd1eb46bb71afe20156

memory/3496-126-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/3496-127-0x000000007F300000-0x000000007F310000-memory.dmp

memory/3496-128-0x0000000070BC0000-0x0000000070F17000-memory.dmp

memory/2284-137-0x0000000003A90000-0x0000000003E8D000-memory.dmp

memory/2284-138-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0752e6bbcf73d611cd3fb9050bf22554
SHA1 546d13876ac7dbc4e035d926c452d841afe6fafd
SHA256 885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b
SHA512 1ed59f770a9cea6e5aca93ce882bdbe84748fd1be26c92b840230e34332c7cd6ba02162ee2ce262e2e50ac9ef99dafd96f9821aeb3552235bf000f5807e36b19

memory/2284-145-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 56f481d34a35fb0db36678b8ea872a04
SHA1 051a5e02fb3c4d24dc6c9d36c988829e495a950d
SHA256 a5f0e0c96bdc9e961eadb1d4470f6694f402f4637188f0469e06be7de8ff8d23
SHA512 e8cfc16486e26b3c82226db3eed67cc4f333ce9eab38762994148ba611b9a47c701d6a0d03707aae4119f6ce075f249a5c7ef480f07f6d8f1752908d8ca7c219

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7e76eb73489d535239377be823a43b0e
SHA1 b6e530e2a9fa05a7c8f3cd5d731427d52973df1c
SHA256 334619df9d033fb8bcc8952d4c00b21e5df34ba4269aa2f05076a290051fe997
SHA512 9baa0612c8353c4eedf83aad22835cdb4b4ba28df8792ef7c7d234360efa0e5416071b9c57440686919333fe85245e2b358415fea05d7f7291357297edd63385

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 df5f2812c2238e15daf1636d04cabceb
SHA1 96bdd8e96358ca38ea31be4324491bb76a382cc0
SHA256 edc6300f735ccd1d083d983ea1d4f7fa524b458f7d1b859ef17dcaa4cc807aad
SHA512 cd1e806667e095c1d2831e03794188fa87d6ab74cb9acac9a5739fb363735b26044bcf4097ca050b0ae4818e7605cd2f4e35f6a37e18eb65d9bdfbd1442d32ba

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2816-243-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2816-247-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1648-252-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2816-253-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4884-254-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2816-255-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2816-257-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4884-258-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2816-259-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2816-261-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2816-263-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2816-265-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2816-267-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2816-269-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2816-271-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2816-273-0x0000000000400000-0x0000000001DFD000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 15:59

Reported

2024-04-19 16:02

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4492 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\system32\cmd.exe
PID 4924 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\system32\cmd.exe
PID 5076 wrote to memory of 4260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5076 wrote to memory of 4260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4924 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\rss\csrss.exe
PID 4924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\rss\csrss.exe
PID 4924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe C:\Windows\rss\csrss.exe
PID 2956 wrote to memory of 2624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 2624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 2624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 4816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 4816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 4816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 4164 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2956 wrote to memory of 4164 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3416 wrote to memory of 3692 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 3692 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 3692 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3692 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3692 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe

"C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe

"C:\Users\Admin\AppData\Local\Temp\885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88a18dac-4c41-4b12-a95c-8fe8f8c847e4.uuid.theupdatetime.org udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server4.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
BG 185.82.216.108:443 server4.theupdatetime.org tcp
US 8.8.8.8:53 127.27.251.142.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server4.theupdatetime.org tcp
BG 185.82.216.108:443 server4.theupdatetime.org tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4492-1-0x0000000003A40000-0x0000000003E3C000-memory.dmp

memory/4492-2-0x0000000003E40000-0x000000000472B000-memory.dmp

memory/4492-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2188-5-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/2188-4-0x00000000050B0000-0x00000000050E6000-memory.dmp

memory/2188-6-0x0000000005100000-0x0000000005110000-memory.dmp

memory/2188-7-0x0000000005100000-0x0000000005110000-memory.dmp

memory/2188-8-0x0000000005740000-0x0000000005D68000-memory.dmp

memory/2188-9-0x00000000056E0000-0x0000000005702000-memory.dmp

memory/2188-10-0x0000000005FD0000-0x0000000006036000-memory.dmp

memory/2188-16-0x0000000006040000-0x00000000060A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mw5v0iig.ytz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2188-21-0x00000000061B0000-0x0000000006504000-memory.dmp

memory/2188-22-0x0000000006680000-0x000000000669E000-memory.dmp

memory/2188-23-0x00000000066E0000-0x000000000672C000-memory.dmp

memory/2188-24-0x0000000006BE0000-0x0000000006C24000-memory.dmp

memory/2188-25-0x00000000079B0000-0x0000000007A26000-memory.dmp

memory/2188-26-0x00000000080B0000-0x000000000872A000-memory.dmp

memory/2188-27-0x0000000007A50000-0x0000000007A6A000-memory.dmp

memory/2188-28-0x0000000007C10000-0x0000000007C42000-memory.dmp

memory/2188-30-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/2188-29-0x000000007F9E0000-0x000000007F9F0000-memory.dmp

memory/2188-31-0x0000000070BE0000-0x0000000070F34000-memory.dmp

memory/2188-42-0x0000000005100000-0x0000000005110000-memory.dmp

memory/2188-41-0x0000000007C50000-0x0000000007C6E000-memory.dmp

memory/2188-43-0x0000000007C70000-0x0000000007D13000-memory.dmp

memory/2188-44-0x0000000007D60000-0x0000000007D6A000-memory.dmp

memory/2188-45-0x0000000007E20000-0x0000000007EB6000-memory.dmp

memory/2188-46-0x0000000007D80000-0x0000000007D91000-memory.dmp

memory/2188-47-0x0000000007DC0000-0x0000000007DCE000-memory.dmp

memory/2188-48-0x0000000007DD0000-0x0000000007DE4000-memory.dmp

memory/2188-49-0x0000000007EC0000-0x0000000007EDA000-memory.dmp

memory/2188-50-0x0000000007E10000-0x0000000007E18000-memory.dmp

memory/2188-53-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4492-55-0x0000000003A40000-0x0000000003E3C000-memory.dmp

memory/4924-56-0x0000000003A00000-0x0000000003DFB000-memory.dmp

memory/4924-57-0x0000000003E00000-0x00000000046EB000-memory.dmp

memory/4924-58-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2780-59-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4492-69-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2780-71-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/2780-72-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/2780-73-0x000000007FD10000-0x000000007FD20000-memory.dmp

memory/2780-74-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/2780-75-0x0000000070BE0000-0x0000000070F34000-memory.dmp

memory/2780-85-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/2780-86-0x00000000072D0000-0x0000000007373000-memory.dmp

memory/2780-87-0x00000000075F0000-0x0000000007601000-memory.dmp

memory/2780-88-0x0000000007640000-0x0000000007654000-memory.dmp

memory/2780-91-0x0000000074BC0000-0x0000000075370000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/2892-93-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/2892-94-0x0000000002950000-0x0000000002960000-memory.dmp

memory/2892-95-0x0000000002950000-0x0000000002960000-memory.dmp

memory/2892-101-0x0000000005920000-0x0000000005C74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 84f728797279c6b078bd026dda261dba
SHA1 d4adb26397caaeacaae049324166b7da22a2ed42
SHA256 3ab3e46a8610f50de246f931768e1babe2303f636f37539049f35a3957dae87f
SHA512 08a687116b3f48847e5c1cbb543543aa410ff086dd4c13464f89141144f591d0b3584b4e1fbd1994cf653c289e3d2d9cc260ccb277307fd2f3d87c64e9bad317

memory/2892-108-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/2892-110-0x00000000711E0000-0x0000000071534000-memory.dmp

memory/2892-109-0x000000007F510000-0x000000007F520000-memory.dmp

memory/4924-107-0x0000000003A00000-0x0000000003DFB000-memory.dmp

memory/4924-120-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2892-121-0x0000000002950000-0x0000000002960000-memory.dmp

memory/2892-123-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4924-124-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2860-125-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/2860-127-0x0000000002770000-0x0000000002780000-memory.dmp

memory/2860-126-0x0000000002770000-0x0000000002780000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f6356d404f7a44ec18c1d339767272e7
SHA1 a0f2391d2feb862eb552ee493fd30bf6541a21e7
SHA256 4956d3e123c9c34accbacbfed06a8819bcd86bd518d6029f066fe80c6d690574
SHA512 37e20daaa7ba3090b05ab016278a861ef3f77aeaae4d3b8d5015a17759427aec92ca4ecf44a8c8fbb37ff7b6d49a8eb60462fc683a856ae00be5daf073e9b877

memory/2860-139-0x0000000070A60000-0x0000000070AAC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0752e6bbcf73d611cd3fb9050bf22554
SHA1 546d13876ac7dbc4e035d926c452d841afe6fafd
SHA256 885a119b2f65c029a58db3eee2cf50402bee07b5a026a5beed40b074382e253b
SHA512 1ed59f770a9cea6e5aca93ce882bdbe84748fd1be26c92b840230e34332c7cd6ba02162ee2ce262e2e50ac9ef99dafd96f9821aeb3552235bf000f5807e36b19

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a43a4d89d496bb6c9ef8b26aec5457bb
SHA1 dc1fef5a9d91812c67c630426c2e9242d9fcb0f4
SHA256 bd6baf4be2adc1c270a190d876f4bef5eeca9d188f3958c6909af3bad6421b81
SHA512 972c513219c949045b2ce23c53aa2fd667f68bf3a25f779f0c86ebf020d36f7b1fc8e807ea4b19692fd97dffeaf043cca35a933edb22ded78f6de75a06ec0187

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 53ac85e1f788ca3ab394bf60c20e7231
SHA1 eab284c0a14f037c7913f075909a5667b11e9812
SHA256 ab306992bc892732493758bcf082e9cfdc5b25d6b75eb131187a694ebad0b370
SHA512 e078caa49e7cca355487f3518605f131b59cf4a5f5437550501d78f79d2e90964bb75fa5e1e1e646ed2460c81053aa7f418eb4dbf0873f7e90492546f0c70ea8

memory/4924-203-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 18b32760275f3d43f81b12872b068b6f
SHA1 538cbdd4c722d99050ce1242d013910545433d8b
SHA256 97633dff5906c612620f6bf8d35fcbf877a1d9bc37dd246c6c2ec9fa4397991c
SHA512 4d78737db551b9a66cf6220a88ae8b9812be51eac30ae5318cf5b83aa588530dc170e3ec184cddf367a47dc8dc9feb5e78c046cef721dba37cdbae1968e5f2b8

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2956-259-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2956-266-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3416-270-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2956-273-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3476-274-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2956-277-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2956-281-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2956-285-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3476-286-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2956-289-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2956-293-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2956-297-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2956-301-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2956-305-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2956-309-0x0000000000400000-0x0000000001DFD000-memory.dmp