Malware Analysis Report

2025-08-06 03:33

Sample ID 240419-xxhlhada47
Target f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d
SHA256 f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d

Threat Level: Known bad

The file f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 19:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 19:13

Reported

2024-04-19 19:16

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\system32\cmd.exe
PID 2484 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4452 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2484 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\rss\csrss.exe
PID 2484 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\rss\csrss.exe
PID 2484 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\rss\csrss.exe
PID 2692 wrote to memory of 2748 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2748 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2748 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2100 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2100 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2100 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 5080 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 5080 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 5080 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2892 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2692 wrote to memory of 2892 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1216 wrote to memory of 232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 232 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 232 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 232 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe

"C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe

"C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 74.146.23.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 769cf9d8-ce40-4c81-987e-aa4f830b310f.uuid.alldatadump.org udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server9.alldatadump.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.108:443 server9.alldatadump.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server9.alldatadump.org tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
BG 185.82.216.108:443 server9.alldatadump.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:31465 tcp

Files

memory/1924-1-0x0000000003A80000-0x0000000003E80000-memory.dmp

memory/1924-2-0x0000000003E80000-0x000000000476B000-memory.dmp

memory/1924-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3624-5-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/3624-4-0x0000000002DF0000-0x0000000002E26000-memory.dmp

memory/3624-6-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/3624-8-0x0000000005810000-0x0000000005E38000-memory.dmp

memory/3624-7-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/3624-9-0x00000000054D0000-0x00000000054F2000-memory.dmp

memory/3624-10-0x00000000055F0000-0x0000000005656000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_owqmiwdg.n1d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3624-16-0x0000000005710000-0x0000000005776000-memory.dmp

memory/3624-21-0x0000000005F40000-0x0000000006294000-memory.dmp

memory/3624-22-0x0000000006410000-0x000000000642E000-memory.dmp

memory/3624-23-0x0000000006990000-0x00000000069DC000-memory.dmp

memory/3624-24-0x0000000006930000-0x0000000006974000-memory.dmp

memory/3624-25-0x0000000007760000-0x00000000077D6000-memory.dmp

memory/3624-26-0x0000000007E60000-0x00000000084DA000-memory.dmp

memory/3624-27-0x00000000077E0000-0x00000000077FA000-memory.dmp

memory/3624-29-0x000000007FBB0000-0x000000007FBC0000-memory.dmp

memory/3624-28-0x00000000079A0000-0x00000000079D2000-memory.dmp

memory/3624-30-0x0000000070570000-0x00000000705BC000-memory.dmp

memory/3624-31-0x00000000706F0000-0x0000000070A44000-memory.dmp

memory/3624-42-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/3624-43-0x0000000007A00000-0x0000000007AA3000-memory.dmp

memory/3624-41-0x00000000079E0000-0x00000000079FE000-memory.dmp

memory/3624-44-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

memory/3624-45-0x0000000007C00000-0x0000000007C96000-memory.dmp

memory/3624-46-0x0000000007B00000-0x0000000007B11000-memory.dmp

memory/3624-47-0x0000000007B40000-0x0000000007B4E000-memory.dmp

memory/3624-48-0x0000000007B60000-0x0000000007B74000-memory.dmp

memory/3624-49-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

memory/3624-50-0x0000000007BA0000-0x0000000007BA8000-memory.dmp

memory/3624-53-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/1924-54-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2484-56-0x0000000003AE0000-0x0000000003EE8000-memory.dmp

memory/2484-58-0x0000000003EF0000-0x00000000047DB000-memory.dmp

memory/1924-57-0x0000000003E80000-0x000000000476B000-memory.dmp

memory/2484-59-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3580-60-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/3580-61-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/3580-62-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/3580-72-0x0000000005870000-0x0000000005BC4000-memory.dmp

memory/3580-73-0x0000000006320000-0x000000000636C000-memory.dmp

memory/3580-74-0x000000007F210000-0x000000007F220000-memory.dmp

memory/3580-76-0x0000000070D90000-0x00000000710E4000-memory.dmp

memory/3580-75-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/3580-88-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/3580-87-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/3580-86-0x0000000007080000-0x0000000007123000-memory.dmp

memory/3580-89-0x00000000073B0000-0x00000000073C1000-memory.dmp

memory/3580-90-0x0000000007400000-0x0000000007414000-memory.dmp

memory/3580-93-0x0000000074770000-0x0000000074F20000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/392-95-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/392-96-0x0000000005130000-0x0000000005140000-memory.dmp

memory/392-97-0x0000000005130000-0x0000000005140000-memory.dmp

memory/392-107-0x0000000006100000-0x0000000006454000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b793068e9e60352971f22e6ce10f9452
SHA1 b1057e8b0f51948be11b71fe4a26d107cfe042a0
SHA256 e6d0e041b305ea977d7ff5070b3692d7c24e5da62d3b986888d17f0118dcdcc5
SHA512 dd984af17a74a9be89010e7ad0234a0415272fc6afddf3d682c30cb2a5aa64d029683aee160acf6cd749801d116793ca955f04ae6a3a330f19509a178bb38937

memory/392-109-0x000000007F760000-0x000000007F770000-memory.dmp

memory/392-111-0x0000000070820000-0x0000000070B74000-memory.dmp

memory/392-110-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/392-121-0x0000000005130000-0x0000000005140000-memory.dmp

memory/392-122-0x0000000005130000-0x0000000005140000-memory.dmp

memory/392-124-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/3888-126-0x0000000000D40000-0x0000000000D50000-memory.dmp

memory/3888-127-0x0000000000D40000-0x0000000000D50000-memory.dmp

memory/3888-125-0x0000000074770000-0x0000000074F20000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2714eda60cb774372e47a8cc970a98f8
SHA1 e11dee7044a2ea4b0ce49a214ba9eaa1ea218caa
SHA256 23471938b909b42a5fab1846da7d3c55ba5d67736409f37923fde4373e366174
SHA512 83530154bd6ebf0a7bcd36a778c0091cc4d939a04bd5c5752c12da6dd9ac0252569316d0dfb3c254db1039023fee4ab110794aaa772e8b88e1d3cd8e5fe370ee

C:\Windows\rss\csrss.exe

MD5 42a08089f3ad238fa3f5e06d23aaa147
SHA1 acb11a502188f99d1b5151722b36bc2bd6c30c61
SHA256 f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d
SHA512 52a477920ab92e9413a8581451dcb0496718ef88ce238865a0985bcfd04dd3269c626378b230b6aa5942475a9b3292433c54d21d8a1a8bb380d84909835d1396

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5692ec71f933e830a9543e26436314c7
SHA1 03a988cefdfc3943f2eefa3ec610acc3cf93b262
SHA256 1393c3d78d4b6345a7fa305d417729436eb199218b544bfb279c001f5b65bd97
SHA512 1a2d52bdd8a97633d132a8f6f5501d51010dbdf070b6ccadb7fc84e66ee14df24725cad75102c9af8be31876004af6a57ef31a846a2e426a58b43f67f6cc6c65

memory/2484-196-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ae89983ea911010170bc6de8dc513d29
SHA1 550194a93250b4a9e07f486d9d633cf6da549d0b
SHA256 a96ae31b06a2398ec4775521a3746f1ec160ef54d4872f6378917043aaf24d99
SHA512 526a3c7dd84563210b41bed3e8d4da880caeff25a8349548cd68fa3ea0c5cf88074c071707111d18178a4b61d8734bd44e303dde4e755a607fc99eb89767c7c4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 27e3745f7895d9dd3a07177e673f1703
SHA1 0e16c7da78a228c161fc22f38738bf177da27681
SHA256 022b54d24aaf5feb5d2cedfb28cfd4ba9f49982390b5004279d2d50200071a4b
SHA512 c67f1a6317627771651fad63401ec7de4421b3b593a069e4fee11b0174d83feb6f416ee62283c9eb54de1ffb40118bd5dca844172f4c4e5e0b25f1ec60d4a89c

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2692-265-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1216-273-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2692-275-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2688-277-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2692-278-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2692-281-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2688-283-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2692-285-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2692-287-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2692-290-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2692-293-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2692-296-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2692-300-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2692-303-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2692-305-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2692-308-0x0000000000400000-0x0000000001DFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 19:13

Reported

2024-04-19 19:16

Platform

win11-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\system32\cmd.exe
PID 4968 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\system32\cmd.exe
PID 4036 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4036 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4968 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\rss\csrss.exe
PID 4968 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\rss\csrss.exe
PID 4968 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe C:\Windows\rss\csrss.exe
PID 4796 wrote to memory of 3548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4796 wrote to memory of 3548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4796 wrote to memory of 3548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4796 wrote to memory of 908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4796 wrote to memory of 908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4796 wrote to memory of 908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4796 wrote to memory of 784 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4796 wrote to memory of 784 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4796 wrote to memory of 784 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4796 wrote to memory of 1364 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4796 wrote to memory of 1364 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1624 wrote to memory of 3560 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 3560 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 3560 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3560 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3560 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3560 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe

"C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe

"C:\Users\Admin\AppData\Local\Temp\f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 30a3c36a-f40a-4bde-8223-d4bd8dafcd48.uuid.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.alldatadump.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.108:443 server3.alldatadump.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.108:443 server3.alldatadump.org tcp
BG 185.82.216.108:443 server3.alldatadump.org tcp
BG 185.82.216.108:443 server3.alldatadump.org tcp

Files

memory/2888-1-0x0000000003E00000-0x0000000004200000-memory.dmp

memory/2888-2-0x0000000004200000-0x0000000004AEB000-memory.dmp

memory/2888-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/672-4-0x0000000002E30000-0x0000000002E66000-memory.dmp

memory/672-5-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/672-6-0x0000000002E90000-0x0000000002EA0000-memory.dmp

memory/672-8-0x0000000002E90000-0x0000000002EA0000-memory.dmp

memory/672-7-0x0000000005540000-0x0000000005B6A000-memory.dmp

memory/672-9-0x0000000005420000-0x0000000005442000-memory.dmp

memory/672-10-0x00000000054C0000-0x0000000005526000-memory.dmp

memory/672-11-0x0000000005BE0000-0x0000000005C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_subqck3u.v31.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/672-20-0x0000000005DD0000-0x0000000006127000-memory.dmp

memory/672-21-0x00000000062E0000-0x00000000062FE000-memory.dmp

memory/672-22-0x0000000006330000-0x000000000637C000-memory.dmp

memory/672-23-0x0000000006860000-0x00000000068A6000-memory.dmp

memory/672-24-0x000000007F900000-0x000000007F910000-memory.dmp

memory/672-25-0x0000000007710000-0x0000000007744000-memory.dmp

memory/672-26-0x0000000070430000-0x000000007047C000-memory.dmp

memory/672-27-0x00000000705B0000-0x0000000070907000-memory.dmp

memory/672-36-0x0000000007750000-0x000000000776E000-memory.dmp

memory/672-37-0x0000000002E90000-0x0000000002EA0000-memory.dmp

memory/672-38-0x0000000007770000-0x0000000007814000-memory.dmp

memory/672-40-0x00000000078A0000-0x00000000078BA000-memory.dmp

memory/672-39-0x0000000007EE0000-0x000000000855A000-memory.dmp

memory/672-41-0x00000000078E0000-0x00000000078EA000-memory.dmp

memory/672-42-0x00000000079F0000-0x0000000007A86000-memory.dmp

memory/672-43-0x0000000007900000-0x0000000007911000-memory.dmp

memory/672-44-0x0000000007950000-0x000000000795E000-memory.dmp

memory/672-45-0x0000000007960000-0x0000000007975000-memory.dmp

memory/672-46-0x00000000079B0000-0x00000000079CA000-memory.dmp

memory/672-47-0x00000000079D0000-0x00000000079D8000-memory.dmp

memory/672-50-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/4968-52-0x0000000003CF0000-0x00000000040F3000-memory.dmp

memory/2888-53-0x0000000003E00000-0x0000000004200000-memory.dmp

memory/2888-54-0x0000000004200000-0x0000000004AEB000-memory.dmp

memory/4968-55-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2888-56-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1556-58-0x0000000006300000-0x0000000006657000-memory.dmp

memory/1556-67-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/1556-68-0x0000000003310000-0x0000000003320000-memory.dmp

memory/1556-69-0x0000000003310000-0x0000000003320000-memory.dmp

memory/1556-70-0x0000000070430000-0x000000007047C000-memory.dmp

memory/1556-71-0x000000007FE20000-0x000000007FE30000-memory.dmp

memory/1556-72-0x0000000070680000-0x00000000709D7000-memory.dmp

memory/1556-81-0x0000000007A60000-0x0000000007B04000-memory.dmp

memory/1556-82-0x0000000007D90000-0x0000000007DA1000-memory.dmp

memory/1556-83-0x0000000007DE0000-0x0000000007DF5000-memory.dmp

memory/1556-86-0x00000000741C0000-0x0000000074971000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2948-88-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/2948-90-0x0000000005650000-0x0000000005660000-memory.dmp

memory/2948-89-0x0000000005650000-0x0000000005660000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 97575aef403cd8b79c5fd05155233555
SHA1 58abf6706ba6927ce463443e1a500a92fe8238ac
SHA256 f9811741984aaa980dad56c9a48b328ff26ee878c011be3e22a3bb4675d609b1
SHA512 5f4419bd5dbb618d276050083ed181c8bdbb16cb22003b5c2349aaa2c610f6d799df83b718686165ce945fcf603f96ca8a0b008d298a23c9deff76b44a79d447

memory/2948-100-0x000000007FB90000-0x000000007FBA0000-memory.dmp

memory/2948-102-0x0000000070680000-0x00000000709D7000-memory.dmp

memory/2948-101-0x0000000070430000-0x000000007047C000-memory.dmp

memory/4968-104-0x0000000003CF0000-0x00000000040F3000-memory.dmp

memory/2948-106-0x0000000005650000-0x0000000005660000-memory.dmp

memory/2948-114-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/4968-115-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3448-126-0x0000000003480000-0x0000000003490000-memory.dmp

memory/3448-124-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/3448-125-0x0000000003480000-0x0000000003490000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4ae506ac2c8bc8fc21038184f0fbad5e
SHA1 4fd7bc88e8f02987c84b98b4ea3a165ecef9186f
SHA256 522f00bc07628e3c165b2e25ff7cb0b5c87870790a90b3c64ee47fe078770ba6
SHA512 f0663c6d103b16a511e728c2b768f4d1fd57bcdf39df693d5377698cada59d6cb6b3aef41ed78489003f70b0eda659ebd7eaa7ea81d8675f08b1c2c316265c8c

memory/3448-129-0x0000000070430000-0x000000007047C000-memory.dmp

memory/3448-130-0x00000000705B0000-0x0000000070907000-memory.dmp

memory/3448-139-0x0000000003480000-0x0000000003490000-memory.dmp

memory/3448-140-0x0000000003480000-0x0000000003490000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 42a08089f3ad238fa3f5e06d23aaa147
SHA1 acb11a502188f99d1b5151722b36bc2bd6c30c61
SHA256 f4e184ed3320fc6df896781b1c80c7c89e08e9c34e68ef3e0a81703120283f8d
SHA512 52a477920ab92e9413a8581451dcb0496718ef88ce238865a0985bcfd04dd3269c626378b230b6aa5942475a9b3292433c54d21d8a1a8bb380d84909835d1396

memory/4968-146-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 31b281afe95a530eb8f2354517d85fa8
SHA1 af9add69a856196d6a692be7d4e73d934113e5af
SHA256 dc62251a884843d72cae764f4b7f405789efbd29ea617506aa94852b21fe03fa
SHA512 717d602b4c4364e219187e45ef088ec96e42266da748e90306bb27f66c552fa46f40b5d48c2795c677092d67de13e057a868af0b574a595338f0bdcf01cc787a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7cfdc1c3cb101b4a0b40114715c8a6e3
SHA1 a597a37bce15cd06a306b348860b9f387518b6e6
SHA256 8e7fe238f3e5b7ef190a8d1ed0abbfa1187a9d9c5fafafb54a8d9bdbc5d8b405
SHA512 0b152f8e8f2434e64958ec2f38ec91afccf46f4f31d697132838beccf25496f296545b301e04e30170b55bdc44ae57c50f9138b10fd847e77eba96f7898211d0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5be45cdffa1897f3b62f5417065fbc0d
SHA1 f13ee3b7439c27cb7472187d5ab8795031bec4c5
SHA256 0d6268f579b36757db29371b88ce0381fd0e59b0dc8fd364f6bffb416aeb6d1e
SHA512 d3f403f1297fb77e1be64a343699c4360ac39412b730fdc3661bf4db20bb2e27f93f445b2cfce0932d6556c8d0d026a65fc69d7e24318ab4a0bc2803d75c032e

memory/4796-236-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1624-251-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4796-252-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4796-254-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4432-255-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4796-257-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4432-261-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4796-260-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4796-263-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4796-266-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4796-269-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4796-272-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4796-275-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4796-278-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4796-281-0x0000000000400000-0x0000000001DFD000-memory.dmp