Malware Analysis Report

2025-08-05 12:17

Sample ID 240419-x552rsea9x
Target c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60
SHA256 c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60

Threat Level: Known bad

The file c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 19:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 19:27

Reported

2024-04-19 19:29

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4252 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4252 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4252 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\system32\cmd.exe
PID 3424 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\system32\cmd.exe
PID 1836 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1836 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3424 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\rss\csrss.exe
PID 3424 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\rss\csrss.exe
PID 3424 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\rss\csrss.exe
PID 728 wrote to memory of 4740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 728 wrote to memory of 4740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 728 wrote to memory of 4740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 728 wrote to memory of 4828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 728 wrote to memory of 4828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 728 wrote to memory of 4828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 728 wrote to memory of 916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 728 wrote to memory of 916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 728 wrote to memory of 916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 728 wrote to memory of 4180 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 728 wrote to memory of 4180 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3244 wrote to memory of 3496 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 3496 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 3496 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3496 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3496 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe

"C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe

"C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 163.126.19.2.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 066317a4-870c-4cee-94bb-34bb20b21f07.uuid.statscreate.org udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server13.statscreate.org udp
BG 185.82.216.96:443 server13.statscreate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 stun.sipgate.net udp
US 15.197.250.192:3478 stun.sipgate.net udp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BG 185.82.216.96:443 server13.statscreate.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:31465 tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/4252-1-0x0000000003CF0000-0x00000000040F3000-memory.dmp

memory/4252-2-0x0000000004100000-0x00000000049EB000-memory.dmp

memory/4252-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3116-4-0x00000000031C0000-0x00000000031F6000-memory.dmp

memory/3116-5-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/3116-6-0x0000000003230000-0x0000000003240000-memory.dmp

memory/3116-7-0x0000000003230000-0x0000000003240000-memory.dmp

memory/3116-8-0x0000000005A90000-0x00000000060B8000-memory.dmp

memory/3116-9-0x00000000058D0000-0x00000000058F2000-memory.dmp

memory/3116-10-0x0000000005990000-0x00000000059F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uahi4eub.yjf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3116-11-0x0000000005A00000-0x0000000005A66000-memory.dmp

memory/3116-21-0x0000000006160000-0x00000000064B4000-memory.dmp

memory/3116-22-0x00000000067B0000-0x00000000067CE000-memory.dmp

memory/3116-23-0x0000000006800000-0x000000000684C000-memory.dmp

memory/3116-24-0x0000000006D00000-0x0000000006D44000-memory.dmp

memory/3116-25-0x0000000007AD0000-0x0000000007B46000-memory.dmp

memory/3116-27-0x0000000007B70000-0x0000000007B8A000-memory.dmp

memory/3116-26-0x00000000081D0000-0x000000000884A000-memory.dmp

memory/3116-29-0x0000000007D30000-0x0000000007D62000-memory.dmp

memory/3116-28-0x000000007F7E0000-0x000000007F7F0000-memory.dmp

memory/3116-30-0x0000000070990000-0x00000000709DC000-memory.dmp

memory/3116-31-0x00000000710B0000-0x0000000071404000-memory.dmp

memory/3116-41-0x0000000007D70000-0x0000000007D8E000-memory.dmp

memory/3116-42-0x0000000003230000-0x0000000003240000-memory.dmp

memory/3116-43-0x0000000007D90000-0x0000000007E33000-memory.dmp

memory/3116-44-0x0000000007E80000-0x0000000007E8A000-memory.dmp

memory/3116-45-0x0000000007F40000-0x0000000007FD6000-memory.dmp

memory/3116-46-0x0000000007EA0000-0x0000000007EB1000-memory.dmp

memory/3116-47-0x0000000007EE0000-0x0000000007EEE000-memory.dmp

memory/3116-48-0x0000000007EF0000-0x0000000007F04000-memory.dmp

memory/3116-49-0x0000000007FE0000-0x0000000007FFA000-memory.dmp

memory/3116-50-0x0000000007F30000-0x0000000007F38000-memory.dmp

memory/3116-53-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/4252-54-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4252-56-0x0000000004100000-0x00000000049EB000-memory.dmp

memory/3424-57-0x0000000003AC0000-0x0000000003EBD000-memory.dmp

memory/3424-58-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2500-61-0x0000000003440000-0x0000000003450000-memory.dmp

memory/2500-60-0x0000000003440000-0x0000000003450000-memory.dmp

memory/2500-59-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/2500-67-0x0000000006330000-0x0000000006684000-memory.dmp

memory/2500-72-0x0000000006AF0000-0x0000000006B3C000-memory.dmp

memory/2500-73-0x000000007F5E0000-0x000000007F5F0000-memory.dmp

memory/2500-74-0x0000000070A90000-0x0000000070ADC000-memory.dmp

memory/2500-85-0x0000000003440000-0x0000000003450000-memory.dmp

memory/2500-86-0x0000000007B50000-0x0000000007BF3000-memory.dmp

memory/2500-75-0x0000000071230000-0x0000000071584000-memory.dmp

memory/2500-87-0x0000000007E80000-0x0000000007E91000-memory.dmp

memory/2500-88-0x0000000007ED0000-0x0000000007EE4000-memory.dmp

memory/2500-91-0x0000000074B90000-0x0000000075340000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3624-93-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/3624-95-0x0000000002430000-0x0000000002440000-memory.dmp

memory/3624-94-0x0000000002430000-0x0000000002440000-memory.dmp

memory/3624-105-0x0000000005730000-0x0000000005A84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b1fb1c3a2f754deaa0be884f9b6b108f
SHA1 4a9abb8bc191b92afcbf6380afc371f25e447336
SHA256 36c8727a18a81eff0f9ae77c29b67b2c83a25e78644fbb2839a5f25f0fc8852f
SHA512 a45f951678c74b7cbbc06cc1d069c49a3205763c53ed034de72ddea77621cffa753743daa4baf87435340480ba81f12cbe4343117b3bfb85850980cfd8242755

memory/3624-108-0x0000000070A90000-0x0000000070ADC000-memory.dmp

memory/3624-119-0x0000000002430000-0x0000000002440000-memory.dmp

memory/3624-109-0x0000000070C50000-0x0000000070FA4000-memory.dmp

memory/3624-107-0x000000007F340000-0x000000007F350000-memory.dmp

memory/3624-121-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/4920-122-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/3424-132-0x0000000003AC0000-0x0000000003EBD000-memory.dmp

memory/4920-133-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

memory/4920-134-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1bfa62f583b4031d6d4549b3020e3b82
SHA1 522d23c99a0fa4da1c4aa522b6d6f71d79ff6674
SHA256 2483c4557de0d9625079b013da4f17b668e3716a06a7c89b790ec36ca9f16bca
SHA512 8379a5fd96a01bf544d5582a6012c5898075a8ceb5f25d9c5be550823fa56aa1b2618ad36d8157ce2a43e8bd8097ab5995d580f1acec278d022413762b792c84

memory/4920-135-0x0000000005FC0000-0x0000000006314000-memory.dmp

memory/4920-137-0x0000000070A90000-0x0000000070ADC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 65afc93fa62abd61d410206fc1229530
SHA1 70eb477eff1ba808455854e3c734a531150c26ec
SHA256 c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60
SHA512 b7d8bee1848a9b34d54d6dd70a70c860a8e868ecf11e2dcfe34f7f444941afaef1f18afbf82648038ae6a9e89296068524be1df7d25afd7bef5dcb8ab64d9166

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 beb09e39d0870e925f20bd67808073b6
SHA1 cf2fafa408455189e14e2c09bed483ab21b549af
SHA256 7a6235b2bbc4903eb4e5532d8186786ec416fd88d49d997d9e78090a5758278c
SHA512 ae31b9a4713d0db8ce37d9c9ef3fd0103cc3d2f5faddfcd21b4fe403502d906ac0d94007bd294baa48e0423e8cc4b581af36d7fdd8c451885923f8c7af6ddf72

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5054b0a6a1c65f78bb24e223d40142df
SHA1 993c915d2de9d6ea0162ffb382cbc2e24ef0ce98
SHA256 50d7672ea6471917d9caece147d2a88bf9cf891db022d07c424a6a595fe5f139
SHA512 47a5f63c5d657bf321eb5bf645156ef7b364c30b6e605da441878df7a9a263847611648273e1dc9d8f95796b0cc3af35a371b14e1605255cccfc61e2789b4e8d

memory/3424-207-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5ff5a511ff21f4c04b6b3cdb281b997d
SHA1 979d7e32024dfc809b6987f67b0808de953da080
SHA256 33dd2a6d6c341eb30b338316bd5051ce76048db721ec77a7d0de030d49f75251
SHA512 d3b6c534b7c73639692b1ba176a5820b57fa1f4025382ed46441df9cf92ccb0eed7ee47de2730444ae6997cfaa89f2817fafadf29bdb70881689cc1afbdb9bf2

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/728-263-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/728-265-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3244-273-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/728-275-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3344-276-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/728-278-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/728-281-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3344-282-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/728-284-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3344-286-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/728-287-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/728-290-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3344-291-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/728-293-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/728-296-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/728-299-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/728-302-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/728-305-0x0000000000400000-0x0000000001E08000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 19:27

Reported

2024-04-19 19:29

Platform

win11-20240412-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\system32\cmd.exe
PID 4556 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1352 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4556 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\rss\csrss.exe
PID 4556 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\rss\csrss.exe
PID 4556 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe C:\Windows\rss\csrss.exe
PID 1912 wrote to memory of 3376 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 3376 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 3376 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 1492 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 1492 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 1492 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 4060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 4060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 4060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 2968 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1912 wrote to memory of 2968 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1548 wrote to memory of 3456 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 3456 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 3456 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3456 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3456 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe

"C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe

"C:\Users\Admin\AppData\Local\Temp\c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1624 -ip 1624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4556 -ip 4556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 070718e5-5fa0-4acb-989e-4df1a75af9b3.uuid.statscreate.org udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server10.statscreate.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
BG 185.82.216.96:443 server10.statscreate.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.96:443 server10.statscreate.org tcp
NL 52.111.243.29:443 tcp
BG 185.82.216.96:443 server10.statscreate.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/1624-1-0x0000000003D90000-0x000000000418D000-memory.dmp

memory/1624-2-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1624-3-0x0000000004190000-0x0000000004A7B000-memory.dmp

memory/3876-4-0x00000000025C0000-0x00000000025F6000-memory.dmp

memory/3876-5-0x0000000074A80000-0x0000000075231000-memory.dmp

memory/3876-6-0x0000000002230000-0x0000000002240000-memory.dmp

memory/3876-7-0x0000000004D40000-0x000000000536A000-memory.dmp

memory/3876-8-0x0000000004B60000-0x0000000004B82000-memory.dmp

memory/3876-9-0x0000000004C00000-0x0000000004C66000-memory.dmp

memory/3876-10-0x0000000005470000-0x00000000054D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xhdq21c1.tka.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3876-19-0x00000000054E0000-0x0000000005837000-memory.dmp

memory/3876-20-0x0000000005A20000-0x0000000005A3E000-memory.dmp

memory/3876-21-0x0000000005A70000-0x0000000005ABC000-memory.dmp

memory/3876-22-0x0000000006A00000-0x0000000006A46000-memory.dmp

memory/3876-24-0x0000000006E50000-0x0000000006E84000-memory.dmp

memory/3876-23-0x000000007F3E0000-0x000000007F3F0000-memory.dmp

memory/3876-25-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/3876-35-0x0000000006E90000-0x0000000006EAE000-memory.dmp

memory/3876-26-0x0000000070E70000-0x00000000711C7000-memory.dmp

memory/3876-37-0x0000000002230000-0x0000000002240000-memory.dmp

memory/3876-36-0x0000000006EB0000-0x0000000006F54000-memory.dmp

memory/3876-38-0x0000000007620000-0x0000000007C9A000-memory.dmp

memory/3876-39-0x0000000006FE0000-0x0000000006FFA000-memory.dmp

memory/3876-40-0x0000000007020000-0x000000000702A000-memory.dmp

memory/3876-41-0x0000000007130000-0x00000000071C6000-memory.dmp

memory/3876-42-0x0000000007040000-0x0000000007051000-memory.dmp

memory/3876-43-0x0000000007090000-0x000000000709E000-memory.dmp

memory/3876-44-0x00000000070A0000-0x00000000070B5000-memory.dmp

memory/3876-45-0x00000000070F0000-0x000000000710A000-memory.dmp

memory/3876-46-0x0000000007110000-0x0000000007118000-memory.dmp

memory/3876-49-0x0000000074A80000-0x0000000075231000-memory.dmp

memory/4556-51-0x0000000003CB0000-0x00000000040B8000-memory.dmp

memory/4556-53-0x00000000040C0000-0x00000000049AB000-memory.dmp

memory/1624-52-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4556-54-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3060-56-0x0000000003250000-0x0000000003260000-memory.dmp

memory/3060-62-0x0000000003250000-0x0000000003260000-memory.dmp

memory/3060-55-0x0000000074B20000-0x00000000752D1000-memory.dmp

memory/3060-63-0x00000000061E0000-0x0000000006537000-memory.dmp

memory/3060-67-0x0000000006770000-0x00000000067BC000-memory.dmp

memory/3060-69-0x0000000070E00000-0x0000000070E4C000-memory.dmp

memory/3060-68-0x000000007EF60000-0x000000007EF70000-memory.dmp

memory/3060-70-0x0000000071010000-0x0000000071367000-memory.dmp

memory/3060-79-0x0000000003250000-0x0000000003260000-memory.dmp

memory/3060-80-0x0000000007920000-0x00000000079C4000-memory.dmp

memory/3060-81-0x0000000007C70000-0x0000000007C81000-memory.dmp

memory/3060-82-0x0000000007CC0000-0x0000000007CD5000-memory.dmp

memory/3060-85-0x0000000074B20000-0x00000000752D1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3880-87-0x0000000074B20000-0x00000000752D1000-memory.dmp

memory/3880-88-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

memory/3880-89-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ee958f3a56bd65006919c43f7204cad1
SHA1 5ee07c3024ac23e967548afde0ea296246a550d8
SHA256 b964b8a1954601d7284e2f2e039220f66c4012385eed838101359bfb99274bab
SHA512 6419afabf911f9be3397140d19bceebc857f4789bce4ee618797cf57185305b1c147a964523a8987cf8e18b3c4ceaa5e795f0386084219083700da7564af749e

memory/3880-99-0x0000000070E00000-0x0000000070E4C000-memory.dmp

memory/3880-100-0x0000000071010000-0x0000000071367000-memory.dmp

memory/3880-109-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

memory/3880-111-0x0000000074B20000-0x00000000752D1000-memory.dmp

memory/4556-112-0x0000000003CB0000-0x00000000040B8000-memory.dmp

memory/3916-113-0x0000000074B20000-0x00000000752D1000-memory.dmp

memory/3916-115-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/3916-114-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/3916-124-0x0000000005B70000-0x0000000005EC7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dc45e9f242dae0fa3a8433217870794f
SHA1 e795fb683513a1f2b2b72e6115ce59759ceedb10
SHA256 0c98e263f52317be5532512ad2ea889777e6fe214d65f7d788afa2729c1c2f33
SHA512 3ddb0d52a5dc9b5449b0364e65e97af083c9052ee262470d5c70d5f0f80a002461270ef378dc5274111cb2587b019539ab812c61dc2dbafdbfb17d57f3738cee

memory/3916-128-0x0000000070F80000-0x00000000712D7000-memory.dmp

memory/3916-127-0x000000007FAC0000-0x000000007FAD0000-memory.dmp

memory/3916-126-0x0000000070E00000-0x0000000070E4C000-memory.dmp

memory/3916-138-0x0000000074B20000-0x00000000752D1000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 65afc93fa62abd61d410206fc1229530
SHA1 70eb477eff1ba808455854e3c734a531150c26ec
SHA256 c062577ae1b0f999c1439f2daaf281ef53431c6fb7bc6cea3aaa9901a82a0c60
SHA512 b7d8bee1848a9b34d54d6dd70a70c860a8e868ecf11e2dcfe34f7f444941afaef1f18afbf82648038ae6a9e89296068524be1df7d25afd7bef5dcb8ab64d9166

memory/4556-144-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1912-145-0x0000000004200000-0x0000000004600000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 111788dd313e1afbeae17225de4d9996
SHA1 338dc16bf854da3be4ea997b9bb3f42e4be3718d
SHA256 b0e82fa08a20e6fd67662aa4ea57a68ee7c936d31bb53c96c9df4252762ee937
SHA512 29023e189261e1e86802fcbdbd191f3adae77332a6136abbfeac5d480abdea26bd128a91a69b096c60d5eac830d7f919bbc77fb5e9b76b0e029e59df2c3f8a94

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 74f10300ae2d2eed275379283a30da62
SHA1 9a11ff25bd76854c6789cf3de163a6fd2c58e607
SHA256 9da62921e3c2b386028a85d7dc893f252c8b1c0bef7b66e307a0b7161b5aa327
SHA512 50e636c0420745defc8ccfc4204662549e4706167a2a1d94dfacfd6f50244359f7750a9510bf680f9c0857735df6d8757c7d35df18f746c5109df820aedb8904

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7bc67923574c56103a1a633d0b49d3d7
SHA1 79e60515589208aba87e877d2a2cb81577102c11
SHA256 87cab71e3b3cb7eeea2a2af7f43132c81e8681119eda984b567090857310038f
SHA512 7965a6127e782bddc332344b7e257d312a958a9a40edf28ab44ac03599b626e051d429431d6d08583999877fd8b5d59f7c12fc8c192a137d83d749bfe696f1f6

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1912-239-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1548-246-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1912-248-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/428-249-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1912-250-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1912-252-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/428-253-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1912-254-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1912-256-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1912-258-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1912-260-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1912-262-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1912-264-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1912-266-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1912-268-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1912-270-0x0000000000400000-0x0000000001E08000-memory.dmp