Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-t9lxxafb55
Target 1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb
SHA256 1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb

Threat Level: Known bad

The file 1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 16:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 16:45

Reported

2024-05-09 16:48

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4860 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4860 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4860 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\system32\cmd.exe
PID 4908 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\system32\cmd.exe
PID 1356 wrote to memory of 536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1356 wrote to memory of 536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4908 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\rss\csrss.exe
PID 4908 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\rss\csrss.exe
PID 4908 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\rss\csrss.exe
PID 3600 wrote to memory of 4996 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 4996 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 4996 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 2196 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 2196 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 2196 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 2816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 2816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 2816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 5104 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3600 wrote to memory of 5104 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1836 wrote to memory of 3624 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 3624 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 3624 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3624 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3624 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe

"C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe

"C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 a170dfdd-a8ed-42e5-a70f-2cfa1bc0fdf6.uuid.statstraffic.org udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server1.statstraffic.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.104:443 server1.statstraffic.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
BG 185.82.216.104:443 server1.statstraffic.org tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
BE 2.17.196.123:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 123.196.17.2.in-addr.arpa udp
BG 185.82.216.104:443 server1.statstraffic.org tcp

Files

memory/4860-1-0x00000000033C0000-0x00000000037BD000-memory.dmp

memory/4860-2-0x0000000005060000-0x000000000594B000-memory.dmp

memory/4860-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/452-4-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

memory/452-5-0x0000000004C00000-0x0000000004C36000-memory.dmp

memory/452-7-0x0000000005380000-0x00000000059A8000-memory.dmp

memory/452-6-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/452-8-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/452-9-0x0000000005210000-0x0000000005232000-memory.dmp

memory/452-10-0x0000000005AE0000-0x0000000005B46000-memory.dmp

memory/452-11-0x0000000005B50000-0x0000000005BB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ovutjios.ox3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/452-17-0x0000000005BC0000-0x0000000005F14000-memory.dmp

memory/452-22-0x00000000061F0000-0x000000000620E000-memory.dmp

memory/452-23-0x0000000006280000-0x00000000062CC000-memory.dmp

memory/452-24-0x0000000006770000-0x00000000067B4000-memory.dmp

memory/452-25-0x0000000007520000-0x0000000007596000-memory.dmp

memory/452-27-0x00000000075A0000-0x00000000075BA000-memory.dmp

memory/452-26-0x0000000007C20000-0x000000000829A000-memory.dmp

memory/452-28-0x0000000007760000-0x0000000007792000-memory.dmp

memory/452-41-0x00000000077A0000-0x00000000077BE000-memory.dmp

memory/452-31-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/452-30-0x00000000711A0000-0x00000000714F4000-memory.dmp

memory/452-29-0x0000000070A20000-0x0000000070A6C000-memory.dmp

memory/452-42-0x00000000077C0000-0x0000000007863000-memory.dmp

memory/452-43-0x00000000078B0000-0x00000000078BA000-memory.dmp

memory/452-44-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/452-45-0x00000000079C0000-0x0000000007A56000-memory.dmp

memory/452-46-0x00000000078C0000-0x00000000078D1000-memory.dmp

memory/452-47-0x0000000007900000-0x000000000790E000-memory.dmp

memory/452-48-0x0000000007920000-0x0000000007934000-memory.dmp

memory/452-49-0x0000000007960000-0x000000000797A000-memory.dmp

memory/452-50-0x0000000007950000-0x0000000007958000-memory.dmp

memory/452-53-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/4860-55-0x00000000033C0000-0x00000000037BD000-memory.dmp

memory/4860-56-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4860-57-0x0000000005060000-0x000000000594B000-memory.dmp

memory/4860-68-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4968-80-0x0000000007390000-0x0000000007433000-memory.dmp

memory/4908-67-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4968-70-0x00000000711A0000-0x00000000714F4000-memory.dmp

memory/4968-69-0x0000000070A20000-0x0000000070A6C000-memory.dmp

memory/4968-81-0x0000000007690000-0x00000000076A1000-memory.dmp

memory/4968-82-0x00000000076E0000-0x00000000076F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e9989ad1917f196a8778dbc151c7470d
SHA1 bce199086b64204c61acfddc1657f4c4c643b94d
SHA256 12b52ac78e31b0b3bb4349af8e9981c4859d240bd389c0450f9d0fff1b7bc76f
SHA512 7f7d871001d7a9ef3c9d536223c708a1d31a709f204b7e0460ad7f47225d8542685f843e7be752ee9da144423dccf16e296f9c974d7fce30130b1ae9083ff90c

memory/4552-96-0x0000000070A20000-0x0000000070A6C000-memory.dmp

memory/4552-97-0x00000000711A0000-0x00000000714F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f37e0fff075169ac718c1fcc7cd3cc53
SHA1 dd5ffea9fbb58265e545a373e626688b3645b0fd
SHA256 06cfa935ed2f407a6eb13d6912c6b293ffebd975b3d19e2d800942011ab9332b
SHA512 3ab74938ff7fda69beba7d241fff6e546c74c308541044da91a73641f2b58dd70bfff6d689accdc36f86a3bf572d0aa577d2722a7d4289d92a07298ded5f89eb

memory/2500-119-0x00000000711A0000-0x00000000714F4000-memory.dmp

memory/2500-118-0x0000000070A20000-0x0000000070A6C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b2d6159b5666d2f4bd6bab456fe7b03f
SHA1 9081d667c4aa7180a361597b9c9ae400814939e5
SHA256 1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb
SHA512 1ded3d6be3c5ae1cf0ae41e77cd77d507d49b0972dfcf2f168678977262b748ed0f0065282f421b143f7f7325da2b117e176237f5c97664c37b9f6a8c89e9cab

memory/4908-136-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 09e7a29aece1d6765c76404596266f07
SHA1 8dd24e5e596d2e6e934b4d32ceb59ae71e3ad4d4
SHA256 c93471c191c09677a05ce993b847997924dedb456ed645046880cde16e3bc869
SHA512 2bba46804759894e85e706fac2b35f767258c5dc6917973965fe0e60172bee1a5c37cfe41bc2b39d1281f2aca41e039faddc5a2a3ba56d6e57e8074a9fd2d7af

memory/4996-148-0x0000000070A20000-0x0000000070A6C000-memory.dmp

memory/4996-149-0x00000000711A0000-0x00000000714F4000-memory.dmp

memory/2196-169-0x0000000005BF0000-0x0000000005F44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 446c0c3b7ee47c6b6d2945b820b1b822
SHA1 19b9da05e05d780bbf580181ffcedc1e5a4cd06c
SHA256 842463b4b13027cd25188d709351490c9b8fc8631a13c05220c9c4b2db7a046a
SHA512 37b93b6d25385c1760295e5793dedcf6ccb83ed2fd0614d8be04692f4e141cdd3a5f5622d171cf4d58c592600fbb33a6e42e1c4533efafada321c8e775add4af

memory/2196-171-0x0000000006310000-0x000000000635C000-memory.dmp

memory/2196-183-0x0000000007500000-0x00000000075A3000-memory.dmp

memory/2196-173-0x00000000710F0000-0x0000000071444000-memory.dmp

memory/2196-172-0x0000000070940000-0x000000007098C000-memory.dmp

memory/2196-184-0x00000000077F0000-0x0000000007801000-memory.dmp

memory/2196-185-0x00000000060B0000-0x00000000060C4000-memory.dmp

memory/2816-196-0x0000000005780000-0x0000000005AD4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5eaafc8dc1e062d4a610ae8246578da0
SHA1 ec6532007cdfea71adcfe1c8a96c8c458be4bf34
SHA256 89c89cba7b53340f7a99048df581362835b6b3f6c3b955b26c1dc451e30f92d8
SHA512 0c218c1a384730eec91a038d1dc755ac29d423954dab31eb0f793a7aa17093b585860254479ee83c8b985d4c9c56a69bb9af19c18e0b2ab275da54bc983b01fa

memory/2816-198-0x0000000070940000-0x000000007098C000-memory.dmp

memory/2816-199-0x00000000710D0000-0x0000000071424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3600-217-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1836-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/432-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1836-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3600-229-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/432-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3600-233-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3600-237-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/432-239-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3600-240-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3600-245-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3600-249-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3600-253-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3600-257-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3600-261-0x0000000000400000-0x0000000002ED6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 16:45

Reported

2024-05-09 16:48

Platform

win11-20240426-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\system32\cmd.exe
PID 3996 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\system32\cmd.exe
PID 4676 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4676 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3996 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\rss\csrss.exe
PID 3996 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\rss\csrss.exe
PID 3996 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe C:\Windows\rss\csrss.exe
PID 2544 wrote to memory of 896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2260 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2260 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2260 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2436 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2436 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2436 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 748 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2544 wrote to memory of 748 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5072 wrote to memory of 3272 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 3272 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 3272 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3272 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3272 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe

"C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe

"C:\Users\Admin\AppData\Local\Temp\1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 e957f422-5c8e-4d43-b766-3fe4a6d1512b.uuid.statstraffic.org udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server14.statstraffic.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.104:443 server14.statstraffic.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.104:443 server14.statstraffic.org tcp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 udp
BG 185.82.216.104:443 server14.statstraffic.org tcp

Files

memory/3012-1-0x0000000003420000-0x000000000381F000-memory.dmp

memory/3012-2-0x00000000050C0000-0x00000000059AB000-memory.dmp

memory/3012-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4864-4-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

memory/4864-5-0x0000000003260000-0x0000000003296000-memory.dmp

memory/4864-7-0x0000000005AC0000-0x00000000060EA000-memory.dmp

memory/4864-6-0x0000000073F10000-0x00000000746C1000-memory.dmp

memory/4864-9-0x0000000005950000-0x0000000005972000-memory.dmp

memory/4864-8-0x0000000073F10000-0x00000000746C1000-memory.dmp

memory/4864-10-0x00000000059F0000-0x0000000005A56000-memory.dmp

memory/4864-11-0x00000000061E0000-0x0000000006246000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avfaqsyc.zdo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4864-20-0x0000000006250000-0x00000000065A7000-memory.dmp

memory/4864-21-0x0000000006710000-0x000000000672E000-memory.dmp

memory/4864-22-0x0000000006760000-0x00000000067AC000-memory.dmp

memory/4864-23-0x0000000006C90000-0x0000000006CD6000-memory.dmp

memory/4864-24-0x0000000007B40000-0x0000000007B74000-memory.dmp

memory/4864-26-0x0000000070300000-0x0000000070657000-memory.dmp

memory/4864-35-0x0000000007B80000-0x0000000007B9E000-memory.dmp

memory/4864-36-0x0000000007BA0000-0x0000000007C44000-memory.dmp

memory/4864-25-0x0000000070180000-0x00000000701CC000-memory.dmp

memory/4864-38-0x0000000007CD0000-0x0000000007CEA000-memory.dmp

memory/4864-37-0x0000000008310000-0x000000000898A000-memory.dmp

memory/4864-39-0x0000000007D10000-0x0000000007D1A000-memory.dmp

memory/4864-40-0x0000000007E20000-0x0000000007EB6000-memory.dmp

memory/4864-41-0x0000000007D30000-0x0000000007D41000-memory.dmp

memory/4864-42-0x0000000007D80000-0x0000000007D8E000-memory.dmp

memory/4864-43-0x0000000007D90000-0x0000000007DA5000-memory.dmp

memory/4864-44-0x0000000007DE0000-0x0000000007DFA000-memory.dmp

memory/4864-45-0x0000000007E00000-0x0000000007E08000-memory.dmp

memory/4864-48-0x0000000073F10000-0x00000000746C1000-memory.dmp

memory/3012-52-0x00000000050C0000-0x00000000059AB000-memory.dmp

memory/3012-51-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3012-49-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2220-61-0x0000000006260000-0x00000000065B7000-memory.dmp

memory/2220-62-0x0000000006720000-0x000000000676C000-memory.dmp

memory/2220-63-0x0000000070290000-0x00000000702DC000-memory.dmp

memory/2220-64-0x0000000070410000-0x0000000070767000-memory.dmp

memory/2220-73-0x0000000007950000-0x00000000079F4000-memory.dmp

memory/2220-74-0x0000000007C90000-0x0000000007CA1000-memory.dmp

memory/2220-75-0x0000000007CE0000-0x0000000007CF5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 86440b930a31c0fccdedbf21b4d47d1a
SHA1 0b9a41ebe77f3ec1fd62dd0b58ca65232b13f8b5
SHA256 15300ad245312b9b2cb0cb8089ddce4192f80e616f1c043dbf89a2dd12c502f1
SHA512 170b9e512b48f2ce1020419a83c6d9c4ff0eeda35c7242398d9436c2d9b9125f95f02987eb00f8f03f6693ddd352e0c311e97869aff9a48cb55453c4549b36f3

memory/4232-88-0x0000000070290000-0x00000000702DC000-memory.dmp

memory/4232-89-0x0000000070410000-0x0000000070767000-memory.dmp

memory/4840-107-0x0000000005E70000-0x00000000061C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f9b409136140c372d4031cc4f5a58476
SHA1 bb9c83118373a9a6170f3870f638c5a44a02b115
SHA256 8b18c98cda3c0317c627b8286a40cce7db9bffcf2019d385d16754632a3ec0f5
SHA512 b446cd0c47455692c093c116d4c5bdec9b475dba437471e99a8e2f04c7ee5c28ce410f74d7ba2c60610561a896464f91ba507745fa9bdda33df91e6ea1e29b50

memory/4840-109-0x0000000070290000-0x00000000702DC000-memory.dmp

memory/4840-110-0x00000000704E0000-0x0000000070837000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b2d6159b5666d2f4bd6bab456fe7b03f
SHA1 9081d667c4aa7180a361597b9c9ae400814939e5
SHA256 1c140d9eae8dded95d0a83d3b909b77632725fdf130eb8f28a5ec4717224b2bb
SHA512 1ded3d6be3c5ae1cf0ae41e77cd77d507d49b0972dfcf2f168678977262b748ed0f0065282f421b143f7f7325da2b117e176237f5c97664c37b9f6a8c89e9cab

memory/3996-123-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/896-131-0x0000000005BA0000-0x0000000005EF7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e3c5474eccdc84c069bacbf040cad927
SHA1 7c08690bd4b27127e69d6de6b6f364a0c24f54c3
SHA256 47ac0bf3a3f81d639e9451f8ead9192548ae0eb22140eeff29b44eddb22b0e28
SHA512 44d1c685656f45e36de660ab0509cf1cb93662b5d139956ed5ff526728bafbec5107ccdead6ea40429d57c71edc898655def86eae7a5b74c586bfdc300d3a0e4

memory/896-136-0x00000000061A0000-0x00000000061EC000-memory.dmp

memory/896-137-0x00000000701F0000-0x000000007023C000-memory.dmp

memory/896-138-0x0000000070440000-0x0000000070797000-memory.dmp

memory/896-147-0x00000000073F0000-0x0000000007494000-memory.dmp

memory/896-148-0x0000000007720000-0x0000000007731000-memory.dmp

memory/896-149-0x0000000005F60000-0x0000000005F75000-memory.dmp

memory/2260-159-0x00000000059D0000-0x0000000005D27000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 de569008a1d71ff22aaca2ec112da367
SHA1 af6536902a9bdd8cbc68f2cb6a26fc7e448cd23a
SHA256 a30d8735ec80825f794b055ea0e5f9c40c68573afcb574d07a547e06428c081a
SHA512 64f412a5467161cbe8ed2856e52510befbde3aeed2e4924bc67a9536e66ec8e65c839594aeb0216e76490366e801e21cd6c06d986cf21bc23f1d4c65ee80e32b

memory/2260-161-0x0000000006300000-0x000000000634C000-memory.dmp

memory/2260-162-0x0000000070110000-0x000000007015C000-memory.dmp

memory/2260-163-0x0000000070290000-0x00000000705E7000-memory.dmp

memory/2260-172-0x0000000006FE0000-0x0000000007084000-memory.dmp

memory/2260-173-0x0000000007320000-0x0000000007331000-memory.dmp

memory/2260-174-0x0000000005180000-0x0000000005195000-memory.dmp

memory/2436-184-0x0000000005850000-0x0000000005BA7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e59e8786e74ed2553c3f96fbd4089f07
SHA1 c1bc73171dbbdfa9893a178dfabc31e96c38018c
SHA256 d6c14b75a272c54743f931c5565f14f45ec3f80493b5e159c845d9949b116d5f
SHA512 01a261ba38ebba2f5e0a0bff4f64388e663646cb945608eb9176cdf4c43477bc6f1ec93d0189242f0b7b5d1ec97668bd8a8fa426b36a6ab2764c7fec9983e5aa

memory/2436-187-0x0000000070340000-0x0000000070697000-memory.dmp

memory/2436-186-0x0000000070110000-0x000000007015C000-memory.dmp

memory/2544-197-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4416-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5072-211-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5072-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2544-212-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4416-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2544-213-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2544-215-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4416-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2544-217-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2544-220-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2544-221-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2544-223-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2544-225-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2544-228-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2544-229-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2544-231-0x0000000000400000-0x0000000002ED6000-memory.dmp