Malware Analysis Report

2025-08-06 03:33

Sample ID 240419-xzqpwsdb32
Target 3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503
SHA256 3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503

Threat Level: Known bad

The file 3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 19:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 19:17

Reported

2024-04-19 19:20

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4852 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4852 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4852 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4852 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\system32\cmd.exe
PID 4852 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\system32\cmd.exe
PID 3168 wrote to memory of 3812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3168 wrote to memory of 3812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4852 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4852 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4852 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4852 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4852 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4852 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4852 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\rss\csrss.exe
PID 4852 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\rss\csrss.exe
PID 4852 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\rss\csrss.exe
PID 1932 wrote to memory of 4696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 4696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 4696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 3432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 3432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 3432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 3324 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 3324 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 3324 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 1304 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1932 wrote to memory of 1304 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2748 wrote to memory of 1812 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1812 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1812 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1812 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1812 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe

"C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe

"C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4852 -ip 4852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 e56cf833-058c-40cf-ada8-0d5b6b3b0e31.uuid.createupdate.org udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server13.createupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.104:443 server13.createupdate.org tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 carsalessystem.com udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 208.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
BG 185.82.216.104:443 server13.createupdate.org tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BG 185.82.216.104:443 server13.createupdate.org tcp
BG 185.82.216.104:443 server13.createupdate.org tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/2660-1-0x0000000003D40000-0x0000000004143000-memory.dmp

memory/2660-2-0x0000000004150000-0x0000000004A3B000-memory.dmp

memory/2660-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2832-4-0x0000000004F30000-0x0000000004F66000-memory.dmp

memory/2832-5-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/2832-6-0x0000000004F70000-0x0000000004F80000-memory.dmp

memory/2832-7-0x00000000055B0000-0x0000000005BD8000-memory.dmp

memory/2832-8-0x0000000004F70000-0x0000000004F80000-memory.dmp

memory/2832-9-0x0000000005530000-0x0000000005552000-memory.dmp

memory/2832-10-0x0000000005C50000-0x0000000005CB6000-memory.dmp

memory/2832-11-0x0000000005CC0000-0x0000000005D26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4owwwtu2.b0h.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2832-18-0x0000000005EB0000-0x0000000006204000-memory.dmp

memory/2832-22-0x0000000006500000-0x000000000651E000-memory.dmp

memory/2832-23-0x00000000065C0000-0x000000000660C000-memory.dmp

memory/2832-24-0x0000000006A80000-0x0000000006AC4000-memory.dmp

memory/2832-25-0x0000000007830000-0x00000000078A6000-memory.dmp

memory/2832-26-0x0000000007F30000-0x00000000085AA000-memory.dmp

memory/2832-27-0x00000000078D0000-0x00000000078EA000-memory.dmp

memory/2832-28-0x000000007EF50000-0x000000007EF60000-memory.dmp

memory/2832-29-0x0000000007A90000-0x0000000007AC2000-memory.dmp

memory/2832-30-0x00000000704F0000-0x000000007053C000-memory.dmp

memory/2832-31-0x0000000070C70000-0x0000000070FC4000-memory.dmp

memory/2832-41-0x0000000007AD0000-0x0000000007AEE000-memory.dmp

memory/2832-42-0x0000000004F70000-0x0000000004F80000-memory.dmp

memory/2832-43-0x0000000007AF0000-0x0000000007B93000-memory.dmp

memory/2832-44-0x0000000007BE0000-0x0000000007BEA000-memory.dmp

memory/2832-45-0x0000000004F70000-0x0000000004F80000-memory.dmp

memory/2832-46-0x0000000007CF0000-0x0000000007D86000-memory.dmp

memory/2832-47-0x0000000007BF0000-0x0000000007C01000-memory.dmp

memory/2832-48-0x0000000007C30000-0x0000000007C3E000-memory.dmp

memory/2832-49-0x0000000007C50000-0x0000000007C64000-memory.dmp

memory/2832-50-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

memory/2832-51-0x0000000007C90000-0x0000000007C98000-memory.dmp

memory/2832-54-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4852-56-0x0000000003B00000-0x0000000003F01000-memory.dmp

memory/2660-57-0x0000000003D40000-0x0000000004143000-memory.dmp

memory/2660-58-0x0000000004150000-0x0000000004A3B000-memory.dmp

memory/4852-59-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2660-60-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4644-61-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4644-62-0x0000000002600000-0x0000000002610000-memory.dmp

memory/4644-63-0x0000000002600000-0x0000000002610000-memory.dmp

memory/4644-73-0x0000000005A70000-0x0000000005DC4000-memory.dmp

memory/4644-74-0x0000000006070000-0x00000000060BC000-memory.dmp

memory/4644-75-0x000000007EF30000-0x000000007EF40000-memory.dmp

memory/4644-76-0x00000000705F0000-0x000000007063C000-memory.dmp

memory/4644-77-0x0000000070790000-0x0000000070AE4000-memory.dmp

memory/4644-87-0x0000000007190000-0x0000000007233000-memory.dmp

memory/4644-89-0x0000000002600000-0x0000000002610000-memory.dmp

memory/4644-88-0x0000000002600000-0x0000000002610000-memory.dmp

memory/4644-90-0x00000000074B0000-0x00000000074C1000-memory.dmp

memory/4644-91-0x0000000007500000-0x0000000007514000-memory.dmp

memory/4644-94-0x0000000074650000-0x0000000074E00000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4500-96-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4500-97-0x0000000002620000-0x0000000002630000-memory.dmp

memory/4500-98-0x0000000002620000-0x0000000002630000-memory.dmp

memory/4500-108-0x0000000005720000-0x0000000005A74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 954d8baed4644eea1bfe47f56bf4a293
SHA1 371d3729669588d5663621c5f7117c2837cff7c4
SHA256 04dc9fe01241058306fade3b3b6f07d7a2a78e9b85213ff7ca7efbfc34ffa598
SHA512 58bf0ce7c1459c2253c6efd5b47e31bc46c4f4a4b9eab61e8a66a5e360ec791421d3dc5b551eec8ed61f9ee2b9a3aa3ee705fd2bff10e5609b9290cc482795fa

memory/4852-110-0x0000000003B00000-0x0000000003F01000-memory.dmp

memory/4500-111-0x000000007F7D0000-0x000000007F7E0000-memory.dmp

memory/4500-113-0x0000000070770000-0x0000000070AC4000-memory.dmp

memory/4500-112-0x00000000705F0000-0x000000007063C000-memory.dmp

memory/4500-123-0x0000000002620000-0x0000000002630000-memory.dmp

memory/4500-125-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4156-126-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4156-127-0x00000000026A0000-0x00000000026B0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 43bb8601b32f50e2bdea7f9aab5c2ef0
SHA1 38f61bca86e355f660c4e4fa210170e9b56eb83e
SHA256 733d177977b2c781d800aab016a70d4044f2a39331af32e08628e9421bc2975b
SHA512 cfb558d33ade93415a40f3f04e8009cd1dc32bd0c6015c52c7af4bbd43097bf1b03355ce6f16bddd779070aac001c0298d994b05fa74dffb84d7bfb7ccc0a4e6

C:\Windows\rss\csrss.exe

MD5 7e248f25f0af33ccd8993bd7f5c4a121
SHA1 c4cdb88b61822c245445e680d2369a9b5417cab8
SHA256 3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503
SHA512 3d85d9cf79dce74e75a712fe2ae781a7859c380485d5c60f5a8de8f9e26639e5a8e66f6462f4effb7c2d6441668a6e7c03122f4275db3e931a8949891e55e7dc

memory/4852-160-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6db27b4d61c2db00db63a9b0b9379be5
SHA1 c667266ec226eceb4daaff3db97583283f6c98a9
SHA256 798ed51387f83f4a306146d0e2d25a1f846ae38e83fb688d6ec7cf5a51085bbb
SHA512 5e42385cb32ab0944f11eb4997d205c2f20670f8a59e07b941b33bdba292cf10c91bb37cb41dd73fa198c22c73af82678a47f88ba13b6ea75be6a12892d700ab

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 afb0638dcbd511f3d4a21df6b639b7d7
SHA1 c6533f240be39022cd66892c56d17e743d3e8ff8
SHA256 d2956d3794341f9ec30d4982f49a8a708d74f6283e03b40580c6cfbda3b80781
SHA512 61ba83d2cd6e29f22d7b29fd386a75e37b978256db4933124291234e04be2f74e9497a12717eb84e358c49486875f50ae438321316f6d83ae167adf0c9502984

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1f8f9de51a49155c7237e7900fc42d26
SHA1 32be4420f5be03242289d4584814ca1a99c594f5
SHA256 db1faba89526b88d637c5154ad10538879f91b2747d0255791df7a6fbb228d7c
SHA512 d039a37c7633a54f6b55cac5780c195855d94128affbb1e018cf4ee6ccaa5c67ebd8b08fb7b05a3dff9ad0946ac70c5de3fb3defcd6cf2a01aea3b011a7cc51f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1932-264-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1932-268-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2748-273-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1932-274-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3632-275-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1932-276-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1932-278-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3632-279-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1932-280-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1932-282-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1932-284-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1932-286-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1932-288-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1932-290-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1932-292-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1932-294-0x0000000000400000-0x0000000001E08000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 19:17

Reported

2024-04-19 19:20

Platform

win11-20240412-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\system32\cmd.exe
PID 5000 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5000 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2716 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\rss\csrss.exe
PID 2716 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\rss\csrss.exe
PID 2716 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe C:\Windows\rss\csrss.exe
PID 2624 wrote to memory of 756 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 756 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 756 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 4824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 4824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 4824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 3644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 3644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 3644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 4916 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2624 wrote to memory of 4916 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 652 wrote to memory of 4320 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4320 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4320 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4320 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe

"C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe

"C:\Users\Admin\AppData\Local\Temp\3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 e6460727-3506-4acb-a245-fd20eea03f81.uuid.createupdate.org udp
US 8.8.8.8:53 server11.createupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.104:443 server11.createupdate.org tcp
NL 74.125.128.127:19302 stun2.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.104:443 server11.createupdate.org tcp

Files

memory/3052-1-0x0000000003E40000-0x000000000423D000-memory.dmp

memory/3052-2-0x0000000004240000-0x0000000004B2B000-memory.dmp

memory/3052-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2804-4-0x0000000002F30000-0x0000000002F66000-memory.dmp

memory/2804-6-0x0000000005AE0000-0x000000000610A000-memory.dmp

memory/2804-7-0x0000000003450000-0x0000000003460000-memory.dmp

memory/2804-5-0x0000000073E10000-0x00000000745C1000-memory.dmp

memory/2804-8-0x0000000005890000-0x00000000058B2000-memory.dmp

memory/2804-9-0x0000000005A30000-0x0000000005A96000-memory.dmp

memory/2804-10-0x0000000006180000-0x00000000061E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d2lkrncq.dk0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2804-19-0x0000000006270000-0x00000000065C7000-memory.dmp

memory/2804-20-0x0000000006750000-0x000000000676E000-memory.dmp

memory/2804-21-0x00000000067A0000-0x00000000067EC000-memory.dmp

memory/2804-22-0x0000000007770000-0x00000000077B6000-memory.dmp

memory/2804-24-0x000000007FD00000-0x000000007FD10000-memory.dmp

memory/2804-23-0x0000000007C00000-0x0000000007C34000-memory.dmp

memory/2804-25-0x0000000070080000-0x00000000700CC000-memory.dmp

memory/2804-26-0x00000000702B0000-0x0000000070607000-memory.dmp

memory/2804-35-0x0000000007C40000-0x0000000007C5E000-memory.dmp

memory/2804-36-0x0000000007C60000-0x0000000007D04000-memory.dmp

memory/2804-37-0x0000000003450000-0x0000000003460000-memory.dmp

memory/2804-38-0x00000000083D0000-0x0000000008A4A000-memory.dmp

memory/2804-39-0x0000000007D90000-0x0000000007DAA000-memory.dmp

memory/2804-40-0x0000000007DD0000-0x0000000007DDA000-memory.dmp

memory/2804-41-0x0000000007EE0000-0x0000000007F76000-memory.dmp

memory/2804-42-0x0000000007DF0000-0x0000000007E01000-memory.dmp

memory/2804-43-0x0000000007E40000-0x0000000007E4E000-memory.dmp

memory/2804-44-0x0000000007E50000-0x0000000007E65000-memory.dmp

memory/2804-45-0x0000000007EA0000-0x0000000007EBA000-memory.dmp

memory/2804-46-0x0000000007E90000-0x0000000007E98000-memory.dmp

memory/2804-49-0x0000000073E10000-0x00000000745C1000-memory.dmp

memory/2716-51-0x0000000003C30000-0x0000000004030000-memory.dmp

memory/2716-52-0x0000000004030000-0x000000000491B000-memory.dmp

memory/2716-53-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3052-54-0x0000000003E40000-0x000000000423D000-memory.dmp

memory/3052-55-0x0000000004240000-0x0000000004B2B000-memory.dmp

memory/440-56-0x0000000073E10000-0x00000000745C1000-memory.dmp

memory/440-65-0x0000000002840000-0x0000000002850000-memory.dmp

memory/440-67-0x0000000002840000-0x0000000002850000-memory.dmp

memory/440-66-0x0000000005A60000-0x0000000005DB7000-memory.dmp

memory/440-68-0x0000000070080000-0x00000000700CC000-memory.dmp

memory/440-69-0x0000000070200000-0x0000000070557000-memory.dmp

memory/3052-78-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/440-79-0x000000007F400000-0x000000007F410000-memory.dmp

memory/440-81-0x0000000002840000-0x0000000002850000-memory.dmp

memory/440-82-0x0000000002840000-0x0000000002850000-memory.dmp

memory/440-80-0x00000000070E0000-0x0000000007184000-memory.dmp

memory/440-83-0x0000000007400000-0x0000000007411000-memory.dmp

memory/440-84-0x0000000007450000-0x0000000007465000-memory.dmp

memory/440-87-0x0000000073E10000-0x00000000745C1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4844-89-0x0000000073E10000-0x00000000745C1000-memory.dmp

memory/4844-90-0x0000000004D70000-0x0000000004D80000-memory.dmp

memory/4844-96-0x0000000005CA0000-0x0000000005FF7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ccca5ff819d18a400bda2da6e4e8874e
SHA1 34416e2507579d6dbee67dcd7db67e81294297bd
SHA256 75240c4e020a094152a81f7e0864487794bb2cba1a9b16b67a1803779f57a4eb
SHA512 75bacc0883246a648fd73770c7e10fc13e48f7dc06aa63d9400d40ccf24053ee4666bae95eec295780587a4564740ba4632058a23b53cac0bafb781c1fb87876

memory/4844-102-0x0000000070080000-0x00000000700CC000-memory.dmp

memory/4844-103-0x0000000070290000-0x00000000705E7000-memory.dmp

memory/4844-113-0x0000000004D70000-0x0000000004D80000-memory.dmp

memory/4844-112-0x000000007F610000-0x000000007F620000-memory.dmp

memory/2716-114-0x0000000003C30000-0x0000000004030000-memory.dmp

memory/4844-116-0x0000000073E10000-0x00000000745C1000-memory.dmp

memory/5012-117-0x0000000073E10000-0x00000000745C1000-memory.dmp

memory/5012-118-0x0000000002FF0000-0x0000000003000000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e4b6df3c42e3db34309d7fbaab14bf2d
SHA1 e8632f1a535a9fef10049d68872130525ca0b264
SHA256 7f5771468836fc72456b4861eeafe2a43e059a1022605ed5ae1bb0ccf1f90e3e
SHA512 e49e3726125ba4d185f0ced610a1a7cc0713cb228d3854f4ed61df34f2784574cb14085657ce6036e59da504fd9dd1e0b840d64bfd796466eb6b23d195a02d55

memory/5012-129-0x0000000070080000-0x00000000700CC000-memory.dmp

memory/5012-130-0x0000000070200000-0x0000000070557000-memory.dmp

memory/5012-128-0x000000007F0D0000-0x000000007F0E0000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7e248f25f0af33ccd8993bd7f5c4a121
SHA1 c4cdb88b61822c245445e680d2369a9b5417cab8
SHA256 3c117306f10caded888705ff4e1d9b1a6023e1799724762e93f48c1c84fea503
SHA512 3d85d9cf79dce74e75a712fe2ae781a7859c380485d5c60f5a8de8f9e26639e5a8e66f6462f4effb7c2d6441668a6e7c03122f4275db3e931a8949891e55e7dc

memory/2716-145-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9fa38273a2c582d1dde7012607194f87
SHA1 0e9f8222aff1de213fea92c49436de7d4796276f
SHA256 75211cc1c9a5ecc1fccb0b2fc0cf0c9fedf51aad57670afa9106735887e183e5
SHA512 274060fe420eb368904ecabc83dddc0735c26c47c5829807a33cf5b84f793777e13918c8c09c30f68efcfb16d961983513cf8536f0b1325182c2a0ae94e4630f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d64be8406d391e2e9d311f1c1fcd5f2f
SHA1 627224c522d239d7cdcbdfff1702bd2bdd3b362c
SHA256 17f9da8522934a3d27528b2e65e7bfd58ded30e7c52b83332a4835ee3eac9739
SHA512 22392f0151911de354b8a1f8f37d20ce0f96e67e6f801a0f94ea142e7880a6bf36ae5e74600e128dd76627cdebfaba79003672ca048b328e1d97ff642e9364bc

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 41933ed20cee406e9a1e201a742be3da
SHA1 014bb4f3d6c4bb514060e3d177bc72b9d0b41f09
SHA256 c13463c98edf538083f028886d4efd8642cbda1e3083804231913bde975df982
SHA512 94b176dee14afeffe9a07e619763d403aada68d0773e1af0875c344f21012a160475e4fa0b4779678377ba178d7e437ac214185b858afdee65b09f6df636ff2b

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2624-240-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/652-249-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2624-250-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2624-252-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2272-253-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2624-255-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2624-258-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2272-259-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2624-261-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2624-264-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2624-267-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2624-271-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2624-274-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2624-276-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2624-279-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2624-282-0x0000000000400000-0x0000000001E08000-memory.dmp