Malware Analysis Report

2025-08-05 12:18

Sample ID 240419-x33hvsdc45
Target 3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad
SHA256 3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad

Threat Level: Known bad

The file 3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Program crash

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 19:23

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 19:23

Reported

2024-04-19 19:26

Platform

win11-20240412-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 416 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 416 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 416 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\system32\cmd.exe
PID 2684 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1056 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2684 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\rss\csrss.exe
PID 2684 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\rss\csrss.exe
PID 2684 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\rss\csrss.exe
PID 4776 wrote to memory of 4740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 4740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 4740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 4876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 4876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 4876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 3352 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 3352 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 3352 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 2316 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4776 wrote to memory of 2316 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 984 wrote to memory of 4496 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4496 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4496 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4496 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4496 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe

"C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe

"C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2684 -ip 2684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 70fb6f8a-242f-42a2-9333-f40777874b5b.uuid.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server13.dumperstats.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server13.dumperstats.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BE 172.253.120.127:19302 stun1.l.google.com udp
N/A 127.0.0.1:3478 udp
IE 52.111.236.21:443 tcp
BG 185.82.216.111:443 server13.dumperstats.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/416-1-0x0000000003D00000-0x0000000004102000-memory.dmp

memory/416-2-0x0000000004110000-0x00000000049FB000-memory.dmp

memory/416-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4932-4-0x0000000002E00000-0x0000000002E36000-memory.dmp

memory/4932-5-0x0000000074430000-0x0000000074BE1000-memory.dmp

memory/4932-6-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/4932-7-0x0000000005950000-0x0000000005F7A000-memory.dmp

memory/4932-8-0x0000000005740000-0x0000000005762000-memory.dmp

memory/4932-9-0x00000000057E0000-0x0000000005846000-memory.dmp

memory/4932-10-0x00000000058C0000-0x0000000005926000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mvejujs2.izv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4932-19-0x0000000006100000-0x0000000006457000-memory.dmp

memory/4932-20-0x0000000006600000-0x000000000661E000-memory.dmp

memory/4932-21-0x0000000006650000-0x000000000669C000-memory.dmp

memory/4932-22-0x0000000007780000-0x00000000077C6000-memory.dmp

memory/4932-24-0x0000000007A30000-0x0000000007A64000-memory.dmp

memory/4932-23-0x000000007F290000-0x000000007F2A0000-memory.dmp

memory/4932-25-0x00000000706A0000-0x00000000706EC000-memory.dmp

memory/4932-26-0x0000000070820000-0x0000000070B77000-memory.dmp

memory/4932-36-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/4932-35-0x0000000007A70000-0x0000000007A8E000-memory.dmp

memory/4932-37-0x0000000007A90000-0x0000000007B34000-memory.dmp

memory/4932-39-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

memory/4932-38-0x0000000008200000-0x000000000887A000-memory.dmp

memory/4932-40-0x0000000007C00000-0x0000000007C0A000-memory.dmp

memory/4932-41-0x0000000007D10000-0x0000000007DA6000-memory.dmp

memory/4932-42-0x0000000007C20000-0x0000000007C31000-memory.dmp

memory/4932-43-0x0000000007C70000-0x0000000007C7E000-memory.dmp

memory/4932-44-0x0000000007C80000-0x0000000007C95000-memory.dmp

memory/4932-45-0x0000000007CD0000-0x0000000007CEA000-memory.dmp

memory/4932-46-0x0000000007CF0000-0x0000000007CF8000-memory.dmp

memory/4932-49-0x0000000074430000-0x0000000074BE1000-memory.dmp

memory/416-50-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2684-52-0x0000000003AF0000-0x0000000003EF0000-memory.dmp

memory/416-53-0x0000000004110000-0x00000000049FB000-memory.dmp

memory/2684-54-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2312-55-0x00000000744D0000-0x0000000074C81000-memory.dmp

memory/2312-64-0x0000000002820000-0x0000000002830000-memory.dmp

memory/2312-66-0x00000000058B0000-0x0000000005C07000-memory.dmp

memory/2312-65-0x0000000002820000-0x0000000002830000-memory.dmp

memory/2312-67-0x0000000006160000-0x00000000061AC000-memory.dmp

memory/2312-69-0x00000000707B0000-0x00000000707FC000-memory.dmp

memory/2312-70-0x0000000070930000-0x0000000070C87000-memory.dmp

memory/2312-80-0x0000000006E40000-0x0000000006EE4000-memory.dmp

memory/2312-79-0x0000000002820000-0x0000000002830000-memory.dmp

memory/2312-68-0x000000007F4D0000-0x000000007F4E0000-memory.dmp

memory/2312-81-0x0000000007170000-0x0000000007181000-memory.dmp

memory/2312-82-0x00000000071C0000-0x00000000071D5000-memory.dmp

memory/2312-85-0x00000000744D0000-0x0000000074C81000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3496-89-0x00000000055C0000-0x00000000055D0000-memory.dmp

memory/3496-88-0x00000000055C0000-0x00000000055D0000-memory.dmp

memory/3496-87-0x00000000744D0000-0x0000000074C81000-memory.dmp

memory/3496-95-0x0000000006460000-0x00000000067B7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 78b1dabdc7f4d153d2cba4b358ba76a2
SHA1 5fff806e48fd6a58d034b3a2ae691d421441f2f4
SHA256 865a9765036543d7c7232cca29d11f72547f9d2d8e154847868be829b14e9924
SHA512 ee6250198b1f4a7435172175c3e6f3cc642329ae9f40770fd19056b33e89036a86f519ef88ba5b1e2b8a1d74df8102e160b33a2b6bb692472c8bf5557f5e8f93

memory/3496-101-0x00000000707B0000-0x00000000707FC000-memory.dmp

memory/3496-102-0x0000000070A00000-0x0000000070D57000-memory.dmp

memory/3496-100-0x000000007FBD0000-0x000000007FBE0000-memory.dmp

memory/3496-111-0x00000000055C0000-0x00000000055D0000-memory.dmp

memory/3496-112-0x00000000055C0000-0x00000000055D0000-memory.dmp

memory/3496-114-0x00000000744D0000-0x0000000074C81000-memory.dmp

memory/4920-115-0x00000000744D0000-0x0000000074C81000-memory.dmp

memory/2684-116-0x0000000003AF0000-0x0000000003EF0000-memory.dmp

memory/4920-117-0x0000000005250000-0x0000000005260000-memory.dmp

memory/4920-118-0x0000000005250000-0x0000000005260000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c53d1b39e41e7a85d218721e31559d3e
SHA1 fbeb9612abf5485872db3d3865ef70b9f51c99c7
SHA256 7c87b0279aec4d2a64c1c617070913f04f77e9be55c8c170b4a949b20ed31f11
SHA512 e5996b84a3616c07ea681fbb511ec4ade994d15b5faec94666d87bc4802f9b0f14ffcdca4f945aea8af52f4161c2771cc8fb67a4ef208ca27f8f1fb33c0118aa

memory/4920-128-0x00000000707B0000-0x00000000707FC000-memory.dmp

memory/4920-129-0x0000000070A00000-0x0000000070D57000-memory.dmp

memory/2684-138-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9d5b3ce4eae736e3f07eb14565523e7a
SHA1 bccb9a3ddc66b0610e9b88d379f19b6f39020ff3
SHA256 3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad
SHA512 d88fe014c04bec3ff9e1715bf15014a15f40275df6d4b67c6e586886320b6f853bdd885f51391570981750d8f3298d36b56fcc8f5bad8c36aa23289d1f0b2c40

memory/2684-148-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4488b3a67a0ecf9c5828f04e07a88b5b
SHA1 b01e670b271134018eb45de8c5dacb62d1e43e84
SHA256 d123ceaef023f24580841e8a3bbe90910fa2e3ab5bdbb84c12e9fc61e6c61189
SHA512 6a70ab5724bbc02333aa750d09e92a92de0d5364820ceebf6d163504a4f7af1d8241ecf7b810cc5b7fc936104b27c3a921c8690d5ad9c612d4b4301d5bc5159f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 62f263552a34e05d56ae02bddf0e0765
SHA1 41341230b1e3534c0a8a154a61326633d3318884
SHA256 72c24168e6c832d7a4c1ea9766cfdb27f4ec08e0922ba8dbf8424d500ba2f55f
SHA512 6e948302cec2293fd70237374afcd59cde8bcc7ab35ad7312fbd413b7c82fee8a194db9e09a9bfda3baab0dbd9f61a3266e533b2abc1692fdf524fae738f7eae

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 984cb07f576a56a0811bf7488a6fa299
SHA1 12d2e0ef13634dc061510d8ad48ae4208961826f
SHA256 d14abe083e55a7c5ebe10b5ba1e34e500095f7fe815bcac102d388cc8097ee1c
SHA512 300e6468511e94c35b17129389161c79f0b6fd82d95f41c354db24c2c01c0c614e2ba41b64421fed4b852294292652fdb5e19a2c520650bb8a15f8c366224279

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4776-243-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/984-250-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4776-252-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1704-253-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4776-254-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4776-256-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1704-257-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4776-258-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4776-260-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4776-262-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4776-264-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4776-266-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4776-268-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4776-270-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4776-272-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4776-274-0x0000000000400000-0x0000000001E08000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 19:23

Reported

2024-04-19 19:26

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3624 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\system32\cmd.exe
PID 656 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\system32\cmd.exe
PID 3120 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3120 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\schtasks.exe
PID 656 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\rss\csrss.exe
PID 656 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\rss\csrss.exe
PID 656 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe C:\Windows\rss\csrss.exe
PID 2032 wrote to memory of 4000 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 4000 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 4000 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 3976 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 3976 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 3976 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 1664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 1664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 1664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 780 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2032 wrote to memory of 780 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4332 wrote to memory of 4656 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 4656 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 4656 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4656 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4656 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4656 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe

"C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe

"C:\Users\Admin\AppData\Local\Temp\3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3624 -ip 3624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 656 -ip 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 1c21e34d-5525-4785-8aaa-c162bf46874a.uuid.dumperstats.org udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server11.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
NL 74.125.128.127:19302 stun2.l.google.com udp
BG 185.82.216.111:443 server11.dumperstats.org tcp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BG 185.82.216.111:443 server11.dumperstats.org tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:31465 tcp

Files

memory/3624-1-0x0000000003B60000-0x0000000003F5A000-memory.dmp

memory/3624-2-0x0000000003F60000-0x000000000484B000-memory.dmp

memory/3624-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1892-4-0x0000000002AD0000-0x0000000002B06000-memory.dmp

memory/1892-5-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/1892-7-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/1892-6-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/1892-8-0x0000000005460000-0x0000000005A88000-memory.dmp

memory/1892-9-0x0000000005100000-0x0000000005122000-memory.dmp

memory/1892-10-0x00000000052C0000-0x0000000005326000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kni4migq.olo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1892-11-0x0000000005A90000-0x0000000005AF6000-memory.dmp

memory/1892-21-0x0000000005B00000-0x0000000005E54000-memory.dmp

memory/1892-22-0x00000000060D0000-0x00000000060EE000-memory.dmp

memory/1892-23-0x0000000006450000-0x000000000649C000-memory.dmp

memory/1892-24-0x0000000006640000-0x0000000006684000-memory.dmp

memory/1892-25-0x00000000073F0000-0x0000000007466000-memory.dmp

memory/1892-27-0x0000000007490000-0x00000000074AA000-memory.dmp

memory/1892-26-0x0000000007AF0000-0x000000000816A000-memory.dmp

memory/1892-30-0x0000000070A40000-0x0000000070A8C000-memory.dmp

memory/1892-29-0x0000000007650000-0x0000000007682000-memory.dmp

memory/1892-41-0x0000000007690000-0x00000000076AE000-memory.dmp

memory/1892-31-0x0000000070FF0000-0x0000000071344000-memory.dmp

memory/1892-28-0x000000007EF30000-0x000000007EF40000-memory.dmp

memory/1892-43-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/1892-42-0x00000000076B0000-0x0000000007753000-memory.dmp

memory/1892-44-0x00000000077A0000-0x00000000077AA000-memory.dmp

memory/1892-45-0x00000000078B0000-0x0000000007946000-memory.dmp

memory/1892-46-0x00000000077B0000-0x00000000077C1000-memory.dmp

memory/1892-47-0x00000000077F0000-0x00000000077FE000-memory.dmp

memory/1892-48-0x0000000007810000-0x0000000007824000-memory.dmp

memory/1892-49-0x0000000007850000-0x000000000786A000-memory.dmp

memory/1892-50-0x0000000007840000-0x0000000007848000-memory.dmp

memory/1892-53-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/3624-55-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/656-56-0x0000000003C40000-0x000000000403A000-memory.dmp

memory/656-57-0x0000000004040000-0x000000000492B000-memory.dmp

memory/656-58-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3096-61-0x0000000005380000-0x0000000005390000-memory.dmp

memory/3096-71-0x0000000006170000-0x00000000064C4000-memory.dmp

memory/3096-60-0x0000000005380000-0x0000000005390000-memory.dmp

memory/3096-59-0x0000000074C40000-0x00000000753F0000-memory.dmp

memory/3096-72-0x0000000006980000-0x00000000069CC000-memory.dmp

memory/3096-75-0x00000000712F0000-0x0000000071644000-memory.dmp

memory/3096-74-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/3096-85-0x00000000079C0000-0x0000000007A63000-memory.dmp

memory/3096-87-0x0000000005380000-0x0000000005390000-memory.dmp

memory/3096-86-0x0000000005380000-0x0000000005390000-memory.dmp

memory/3096-73-0x000000007F620000-0x000000007F630000-memory.dmp

memory/3096-88-0x0000000007CF0000-0x0000000007D01000-memory.dmp

memory/3096-89-0x0000000007D40000-0x0000000007D54000-memory.dmp

memory/3096-92-0x0000000074C40000-0x00000000753F0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4316-95-0x0000000002C20000-0x0000000002C30000-memory.dmp

memory/4316-94-0x0000000074C40000-0x00000000753F0000-memory.dmp

memory/4316-105-0x0000000002C20000-0x0000000002C30000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e0c2587fdff40b55fd50c68f4096fd0e
SHA1 af9e2fec10c01a60d0591ce7db298b330c617b33
SHA256 83d6bb14047d5d075d4a8aae34a8aad3ac5bcbd08a623968bfe09e9036ef08e5
SHA512 b57984af4295c4bb61d09e3bd38bafc69c67ff7c96f72c8bd477f09a164ae714512f21fea3dfb0d52524c16fb20136ae25722c6e2a7f0cfd82f6e8b988ed454c

memory/4316-106-0x0000000005FA0000-0x00000000062F4000-memory.dmp

memory/4316-109-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/4316-110-0x0000000070F30000-0x0000000071284000-memory.dmp

memory/4316-121-0x0000000002C20000-0x0000000002C30000-memory.dmp

memory/4316-120-0x0000000002C20000-0x0000000002C30000-memory.dmp

memory/4316-108-0x000000007FD50000-0x000000007FD60000-memory.dmp

memory/4316-123-0x0000000074C40000-0x00000000753F0000-memory.dmp

memory/2852-124-0x0000000074C40000-0x00000000753F0000-memory.dmp

memory/2852-127-0x0000000002640000-0x0000000002650000-memory.dmp

memory/2852-126-0x0000000005590000-0x00000000058E4000-memory.dmp

memory/2852-125-0x0000000002640000-0x0000000002650000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ca36f4066cad3efd680d941e43d6a25a
SHA1 13543b97e505039616be4cf868a3bf4a0a563de1
SHA256 b98b3a6c6c51d6ad2fd84147c0775c50450db9d92b72c5e386e86c8686e77bcc
SHA512 bca1a45c5be00c4f6b466c1c666f50d4c90d43c6a9a6f16682f1c5299ce983c4180420f2c45d3e489056027c846ca1ee0a019cc1b4043a2b9e0d6f0ff6a21c44

C:\Windows\rss\csrss.exe

MD5 9d5b3ce4eae736e3f07eb14565523e7a
SHA1 bccb9a3ddc66b0610e9b88d379f19b6f39020ff3
SHA256 3e8b527e867c8c9141b5f78da4f491d6282be93f0dcae90cfa8f6322ad7e68ad
SHA512 d88fe014c04bec3ff9e1715bf15014a15f40275df6d4b67c6e586886320b6f853bdd885f51391570981750d8f3298d36b56fcc8f5bad8c36aa23289d1f0b2c40

memory/656-159-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d76b0e5761e3ca6e9b0cec9c725a0e29
SHA1 b6bb04ae7914cdb2b8b40730416be16c180acb54
SHA256 1dc70ca419e4cb8a82ce5d952cfb65819686e68cc04c5a1c1a652bd7b0d23331
SHA512 a1669f476baef4bec386ce8956dff66330595ca5d2458eca8c5fa8d94882407399bd441b58c431fcd9a603ed6db108fb74f1e45f7966dca4697b013a7058a53a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 35cbf563d4e83befe7995d4728e236a9
SHA1 9dde91400b6980e420af30d70f4c2e866f8d2a59
SHA256 508d150ef98441229a3d84de12d3cc2cf9efd4baeb719269cb31a37b3fb7c99d
SHA512 41cc2efc2bae4366ae5137c6b9bbf6dfb30e7230301c74443c63080b2210f116665d87f9be026ee57fafcce8f50f19cd27630ae7aded6e68df295c19fce58312

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b95844826d903876881210c2aa172888
SHA1 f42e75f546a56c0bc169b685174ff4f5e9dc6ed2
SHA256 fb3abc50570d3fe3729949e7b7a49cbd4e0834e10a8b8b3abae4776a310a4d59
SHA512 c52f32b9e5c533877d83748141cf181b256fba96ef89460c0d8e5f385fc26be032aa243f9d85057150ec7f42afdeb20c3cb0b90e05d4c73ec66f29c331984ac0

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2032-262-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4332-270-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2032-271-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3676-272-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2032-273-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2032-275-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3676-276-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2032-277-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2032-279-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2032-281-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2032-283-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2032-285-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2032-287-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2032-289-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2032-291-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2032-293-0x0000000000400000-0x0000000001E08000-memory.dmp