Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-x34qxsdg66
Target 4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5
SHA256 4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5

Threat Level: Known bad

The file 4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:23

Reported

2024-05-09 19:26

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 464 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3772 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3772 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3772 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3772 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\system32\cmd.exe
PID 3772 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\system32\cmd.exe
PID 2672 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2672 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3772 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3772 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3772 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3772 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3772 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3772 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3772 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\rss\csrss.exe
PID 3772 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\rss\csrss.exe
PID 3772 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\rss\csrss.exe
PID 2812 wrote to memory of 4732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 4732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 4732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 1256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 1256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 1256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 3548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 3548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 3548 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 4752 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2812 wrote to memory of 4752 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4496 wrote to memory of 4468 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 4468 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 4468 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4468 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4468 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe

"C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe

"C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 34.40.53.23.in-addr.arpa udp
US 8.8.8.8:53 14aa5f95-1c60-410b-9f0a-fb1a2fa15d2a.uuid.theupdatetime.org udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server15.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server15.theupdatetime.org tcp
US 74.125.250.129:19302 stun4.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server15.theupdatetime.org tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 2.17.196.74:443 www.bing.com tcp
BG 185.82.216.108:443 server15.theupdatetime.org tcp
US 8.8.8.8:53 74.196.17.2.in-addr.arpa udp
BG 185.82.216.108:443 server15.theupdatetime.org tcp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/464-1-0x0000000003240000-0x0000000003646000-memory.dmp

memory/464-2-0x0000000004F30000-0x000000000581B000-memory.dmp

memory/464-4-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/464-3-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3628-5-0x00000000003B0000-0x000000000041D000-memory.dmp

memory/3628-6-0x0000000002CA0000-0x0000000002CD6000-memory.dmp

memory/3628-7-0x0000000005390000-0x00000000059B8000-memory.dmp

memory/3628-8-0x00000000059F0000-0x0000000005A12000-memory.dmp

memory/3628-9-0x0000000005B90000-0x0000000005BF6000-memory.dmp

memory/3628-10-0x0000000005C00000-0x0000000005C66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbm44xs5.wbq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3628-20-0x0000000005E40000-0x0000000006194000-memory.dmp

memory/3628-21-0x0000000006240000-0x000000000625E000-memory.dmp

memory/3628-22-0x00000000062F0000-0x000000000633C000-memory.dmp

memory/3628-23-0x00000000067C0000-0x0000000006804000-memory.dmp

memory/3628-24-0x0000000007590000-0x0000000007606000-memory.dmp

memory/3628-26-0x0000000007610000-0x000000000762A000-memory.dmp

memory/3628-25-0x0000000007C90000-0x000000000830A000-memory.dmp

memory/3628-27-0x00000000077D0000-0x0000000007802000-memory.dmp

memory/3628-28-0x0000000070E00000-0x0000000070E4C000-memory.dmp

memory/3628-39-0x0000000007810000-0x000000000782E000-memory.dmp

memory/3628-29-0x0000000070F80000-0x00000000712D4000-memory.dmp

memory/3628-40-0x0000000007830000-0x00000000078D3000-memory.dmp

memory/3628-41-0x0000000007920000-0x000000000792A000-memory.dmp

memory/3628-42-0x00000000079E0000-0x0000000007A76000-memory.dmp

memory/3628-43-0x0000000007940000-0x0000000007951000-memory.dmp

memory/3628-44-0x0000000007980000-0x000000000798E000-memory.dmp

memory/3628-45-0x0000000007990000-0x00000000079A4000-memory.dmp

memory/3628-46-0x0000000007A80000-0x0000000007A9A000-memory.dmp

memory/3628-47-0x00000000079C0000-0x00000000079C8000-memory.dmp

memory/3628-50-0x00000000003B0000-0x000000000041D000-memory.dmp

memory/464-52-0x0000000003240000-0x0000000003646000-memory.dmp

memory/464-54-0x0000000004F30000-0x000000000581B000-memory.dmp

memory/464-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/464-53-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3988-56-0x00000000057D0000-0x0000000005B24000-memory.dmp

memory/3988-66-0x0000000070E00000-0x0000000070E4C000-memory.dmp

memory/3988-67-0x0000000071580000-0x00000000718D4000-memory.dmp

memory/3988-77-0x0000000006FC0000-0x0000000007063000-memory.dmp

memory/3988-78-0x00000000072F0000-0x0000000007301000-memory.dmp

memory/3988-80-0x0000000007340000-0x0000000007354000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4116-84-0x00000000061B0000-0x0000000006504000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f04ec60523c5423459bddfa99cdd70a7
SHA1 6a0ce47677992c5553bc512cdfb9f2654a45218b
SHA256 dd62494ccf6ce1493668fea84241c378ede972ea8ca2c15316cded7f404cf4e2
SHA512 9c8c72b761cde8ad90dede95404f98af8ca684b2dd9010f495deecabeecd98d32c5e98d3b9711837219f64278e1cf4e52736721ee93c6f71c03af710046ed2a0

memory/4116-95-0x0000000070E00000-0x0000000070E4C000-memory.dmp

memory/4116-96-0x00000000715A0000-0x00000000718F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 69bd4444d00297c84fb52fb6e3581873
SHA1 989ea15e338686f20279d7f81b8936cbff157bab
SHA256 8833ec09881f63b7498804f38b3f7e52565c76c3ca6bde693b214a41a28e646e
SHA512 e1b2c0c33d01316a2045178f74aa522032674a8a8c6c2cb143157f6a0528e02e7c7e72fde730cdf1f06509a8e8c4788bc4acfb0f20a7d0750cc4c360101c9b7a

memory/3772-117-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4108-118-0x0000000070E00000-0x0000000070E4C000-memory.dmp

memory/4108-119-0x0000000070F80000-0x00000000712D4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d83946b785aa670464c0ee497ae0026a
SHA1 2b48bfb70b8c7f0bbf5e90fc352c9be7135fc751
SHA256 4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5
SHA512 327aae9846b1f3fe6d60e673b4b7ffb5ee2309b01b9e47974bdc1a9daf58a3516b197b5b7ccc33788b9e3196efed0249d4b19949377fc1029af85effef5eb505

memory/3772-134-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4732-147-0x0000000005D20000-0x0000000006074000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 df9bc87fc38a3fbe490491ba0d3ae47d
SHA1 783d88acbdc62427cab27232bd7cdf4be8d5351d
SHA256 d859b56674ea27e2912eac7a1c01c58d2091c039b40de0ca38568ae3d6b703db
SHA512 dee67d95b2b955ed5a4d67d0574f63775b0a4a35b88c41d54372346819c2df4ce8ab16faedbe306f306cfcffba07bce86da51cce6987d584532b00f4f7fb2258

memory/4732-149-0x0000000070E00000-0x0000000070E4C000-memory.dmp

memory/4732-150-0x0000000070FA0000-0x00000000712F4000-memory.dmp

memory/1256-170-0x0000000005A50000-0x0000000005DA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1fa8733c6add54a30743636ac640979a
SHA1 cd321fa452efe778c6a9142dc06bb8b469e85649
SHA256 1685282dcbcd34e5093c42037f9d6fe1ff42080bfab57f435241d7a7350e84d2
SHA512 c7e926b3dc01c4417c0431d3ec0905bb72b855207020741e3185a0e058ed48c9b0f369f2aed0520beb83235bc93d9175169b586d73301055bcfc1c80dd6d9878

memory/1256-172-0x0000000006070000-0x00000000060BC000-memory.dmp

memory/1256-173-0x0000000070D20000-0x0000000070D6C000-memory.dmp

memory/1256-174-0x0000000070EA0000-0x00000000711F4000-memory.dmp

memory/1256-184-0x0000000007310000-0x00000000073B3000-memory.dmp

memory/1256-185-0x0000000007560000-0x0000000007571000-memory.dmp

memory/1256-187-0x0000000005820000-0x0000000005834000-memory.dmp

memory/2812-186-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3548-189-0x00000000063A0000-0x00000000066F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bd4324f538f5448e85726c7128b556f8
SHA1 97357743c7376f19e2750c0901e7a8ddb5af5d55
SHA256 0b34847c1bb64d8766e58c9881ef0997ebb4b88b0db32b81f7199d1280b35293
SHA512 994f32664a2d2a630809f39115783e49aa3c12a2b508dc7ef46cf9292cd9a8c012b30f774f5997914a07013e6470f36659e985170893f7865c1d293b80ca90c7

memory/3548-200-0x0000000070D20000-0x0000000070D6C000-memory.dmp

memory/3548-201-0x00000000714B0000-0x0000000071804000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2812-218-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4496-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4496-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2812-228-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4912-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2812-231-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2812-234-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4912-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2812-237-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2812-240-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2812-243-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2812-246-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2812-249-0x0000000000400000-0x0000000002EDD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:23

Reported

2024-05-09 19:26

Platform

win11-20240426-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\system32\cmd.exe
PID 4180 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\system32\cmd.exe
PID 4068 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4068 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4180 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\rss\csrss.exe
PID 4180 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\rss\csrss.exe
PID 4180 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe C:\Windows\rss\csrss.exe
PID 2072 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 2236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 2236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 2236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 2216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 2216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 2216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 2592 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2072 wrote to memory of 2592 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4616 wrote to memory of 1720 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 1720 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 1720 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1720 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1720 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe

"C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe

"C:\Users\Admin\AppData\Local\Temp\4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 6f9abb78-883f-41c2-91b6-3cfd10ce85f6.uuid.theupdatetime.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server1.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun4.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server1.theupdatetime.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.108:443 server1.theupdatetime.org tcp
BG 185.82.216.108:443 server1.theupdatetime.org tcp

Files

memory/1916-1-0x00000000032B0000-0x00000000036B7000-memory.dmp

memory/1916-2-0x0000000005060000-0x000000000594B000-memory.dmp

memory/1916-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1588-4-0x000000007474E000-0x000000007474F000-memory.dmp

memory/1588-5-0x0000000003390000-0x00000000033C6000-memory.dmp

memory/1588-7-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/1588-6-0x0000000005BF0000-0x000000000621A000-memory.dmp

memory/1588-8-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/1588-9-0x00000000059C0000-0x00000000059E2000-memory.dmp

memory/1588-10-0x0000000006290000-0x00000000062F6000-memory.dmp

memory/1588-11-0x0000000006300000-0x0000000006366000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_npdxfjns.psr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1588-20-0x0000000006390000-0x00000000066E7000-memory.dmp

memory/1588-21-0x0000000006870000-0x000000000688E000-memory.dmp

memory/1588-22-0x0000000006890000-0x00000000068DC000-memory.dmp

memory/1588-23-0x0000000006DB0000-0x0000000006DF6000-memory.dmp

memory/1588-24-0x0000000007C60000-0x0000000007C94000-memory.dmp

memory/1588-35-0x0000000007CC0000-0x0000000007CDE000-memory.dmp

memory/1588-26-0x0000000070B30000-0x0000000070E87000-memory.dmp

memory/1588-25-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/1588-36-0x0000000007CE0000-0x0000000007D84000-memory.dmp

memory/1588-37-0x0000000008450000-0x0000000008ACA000-memory.dmp

memory/1588-38-0x0000000007E00000-0x0000000007E1A000-memory.dmp

memory/1588-39-0x0000000007E40000-0x0000000007E4A000-memory.dmp

memory/1588-40-0x0000000007F50000-0x0000000007FE6000-memory.dmp

memory/1588-41-0x0000000007E60000-0x0000000007E71000-memory.dmp

memory/1588-42-0x0000000007EB0000-0x0000000007EBE000-memory.dmp

memory/1588-43-0x0000000007EC0000-0x0000000007ED5000-memory.dmp

memory/1588-44-0x0000000007F10000-0x0000000007F2A000-memory.dmp

memory/1588-45-0x0000000007F30000-0x0000000007F38000-memory.dmp

memory/1588-48-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/1916-50-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4240-59-0x0000000005CC0000-0x0000000006017000-memory.dmp

memory/4240-60-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/4240-61-0x0000000070B50000-0x0000000070EA7000-memory.dmp

memory/4240-70-0x0000000007430000-0x00000000074D4000-memory.dmp

memory/4240-71-0x0000000007750000-0x0000000007761000-memory.dmp

memory/1916-72-0x00000000032B0000-0x00000000036B7000-memory.dmp

memory/1916-73-0x0000000005060000-0x000000000594B000-memory.dmp

memory/4240-74-0x00000000077A0000-0x00000000077B5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2176-86-0x00000000055A0000-0x00000000058F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 024d8e19c9b85a7d0e4c19a428b88cd8
SHA1 1402996018edc2b4660bc00ce262e12bd57aa2e2
SHA256 b1a0cf3ce570470ae12b2fbfd4d315b55d2ead13b06876797def679608b6b433
SHA512 3c1068d98d083022bd4ee45a8ed906d4090903ad26358f96d70c33d65fcfc00e1045a16cca0da735e88e711cdec56cf1270c051ecec71726a4c2224d4f6f42a4

memory/2176-88-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/2176-89-0x0000000070C20000-0x0000000070F77000-memory.dmp

memory/4180-99-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3136-101-0x0000000005F80000-0x00000000062D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 16952cfb800f8da624cf301d8432b886
SHA1 c19cfeab394fc773c9fa2bca661032f5428bfbc8
SHA256 dd022d672370c0f58172e80f75ba254417551bfb920389cae39b5c7ef536d11b
SHA512 a5ba56b8d8b5c45f0cf191cd03b9d1bdb2b9e17786c1f8e68d33de7088235d4f51b103e86f6afd2dbd1611928c1d7fa2d4bdb2117b8a576927d9dd245bded3d4

memory/3136-112-0x0000000070C00000-0x0000000070F57000-memory.dmp

memory/3136-111-0x00000000709B0000-0x00000000709FC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d83946b785aa670464c0ee497ae0026a
SHA1 2b48bfb70b8c7f0bbf5e90fc352c9be7135fc751
SHA256 4ce75530c839056bad57b070e33931e0c65e8a23fdd8cdbbb98fddc432c527c5
SHA512 327aae9846b1f3fe6d60e673b4b7ffb5ee2309b01b9e47974bdc1a9daf58a3516b197b5b7ccc33788b9e3196efed0249d4b19949377fc1029af85effef5eb505

memory/4180-125-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1916-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2236-139-0x0000000005CF0000-0x0000000006047000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c679c5fe11748c6b2994a26c37a3110d
SHA1 c5da17ce3a530c1d5ce562955bb9facb9d130d2c
SHA256 708a126ccb7218d00e7ac671a88bdda920f170a4f420a02691faf91055800ad5
SHA512 91bfce1de8a39ba8a22cab91c915adf3883c9eed23bad847ba5e4d5ab970f32da43de296123062667b23abafe0d36246aec8cb88a5b7265a9bd0f9396b80f381

memory/2236-141-0x0000000006840000-0x000000000688C000-memory.dmp

memory/2236-142-0x00000000708D0000-0x000000007091C000-memory.dmp

memory/2236-152-0x0000000007550000-0x00000000075F4000-memory.dmp

memory/2236-143-0x0000000070B00000-0x0000000070E57000-memory.dmp

memory/2236-153-0x00000000078D0000-0x00000000078E1000-memory.dmp

memory/2072-154-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2236-155-0x00000000060B0000-0x00000000060C5000-memory.dmp

memory/2216-164-0x0000000005D80000-0x00000000060D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2aead030855f1e2fe32500e10ef48af3
SHA1 f4f94d1b5d07ea48e10566761993328ddb6072d1
SHA256 f79ccda560ac3d0ab5fcbffa650636cc873669513281eb8eecbb38fe0e24c40b
SHA512 d120e91c239690859f70e2cf7814e9dd1a875282edc6f18861132a12b22e4244ff2b7cae815363ec2e344decc76552a3c93bd31091d6cef09b2b45f37a4311a0

memory/2216-167-0x00000000708D0000-0x000000007091C000-memory.dmp

memory/2216-168-0x0000000070B20000-0x0000000070E77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2072-184-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4616-188-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/456-191-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4616-193-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2072-195-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/456-197-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2072-198-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2072-201-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/456-202-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2072-204-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2072-207-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2072-210-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2072-213-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2072-216-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2072-219-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2072-222-0x0000000000400000-0x0000000002EDD000-memory.dmp