Malware Analysis Report

2025-06-16 01:59

Sample ID 240509-x63b9sdh68
Target ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e
SHA256 ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e

Threat Level: Known bad

The file ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:28

Reported

2024-05-09 19:31

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\system32\cmd.exe
PID 5076 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\system32\cmd.exe
PID 784 wrote to memory of 336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 784 wrote to memory of 336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5076 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\rss\csrss.exe
PID 5076 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\rss\csrss.exe
PID 5076 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\rss\csrss.exe
PID 3808 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 4188 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 4188 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 4188 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 2680 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 2680 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 2680 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 4764 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3808 wrote to memory of 4764 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 880 wrote to memory of 2284 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 2284 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 2284 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2284 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2284 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe

"C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe

"C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71aea0f7-9612-48eb-a9cd-cd06a4f00c87.uuid.localstats.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server13.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server13.localstats.org tcp
US 74.125.250.129:19302 stun4.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server13.localstats.org tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
BG 185.82.216.111:443 server13.localstats.org tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/4548-1-0x00000000030E0000-0x00000000034DA000-memory.dmp

memory/4548-2-0x0000000004F00000-0x00000000057EB000-memory.dmp

memory/4548-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4516-4-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

memory/4516-5-0x0000000002AB0000-0x0000000002AE6000-memory.dmp

memory/4516-6-0x00000000051A0000-0x00000000057C8000-memory.dmp

memory/4516-7-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/4516-8-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/4548-9-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4516-10-0x0000000005800000-0x0000000005822000-memory.dmp

memory/4516-11-0x00000000058A0000-0x0000000005906000-memory.dmp

memory/4516-12-0x00000000059C0000-0x0000000005A26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tgdscnq4.qgf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4516-22-0x0000000005A70000-0x0000000005DC4000-memory.dmp

memory/4516-23-0x0000000006070000-0x000000000608E000-memory.dmp

memory/4516-24-0x00000000065F0000-0x000000000663C000-memory.dmp

memory/4516-25-0x0000000006640000-0x0000000006684000-memory.dmp

memory/4516-26-0x0000000007380000-0x00000000073F6000-memory.dmp

memory/4516-27-0x0000000007A80000-0x00000000080FA000-memory.dmp

memory/4516-28-0x0000000007430000-0x000000000744A000-memory.dmp

memory/4516-31-0x0000000070630000-0x0000000070984000-memory.dmp

memory/4516-30-0x000000006FE90000-0x000000006FEDC000-memory.dmp

memory/4516-42-0x0000000007630000-0x000000000764E000-memory.dmp

memory/4516-32-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/4516-29-0x00000000075F0000-0x0000000007622000-memory.dmp

memory/4516-43-0x0000000007650000-0x00000000076F3000-memory.dmp

memory/4516-44-0x0000000007740000-0x000000000774A000-memory.dmp

memory/4548-47-0x00000000030E0000-0x00000000034DA000-memory.dmp

memory/4516-46-0x0000000007850000-0x00000000078E6000-memory.dmp

memory/4516-48-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/4516-45-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/4516-49-0x0000000007750000-0x0000000007761000-memory.dmp

memory/4516-50-0x00000000077C0000-0x00000000077CE000-memory.dmp

memory/4516-51-0x00000000077D0000-0x00000000077E4000-memory.dmp

memory/4516-52-0x0000000007820000-0x000000000783A000-memory.dmp

memory/4516-53-0x0000000007810000-0x0000000007818000-memory.dmp

memory/4516-56-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/4548-59-0x0000000004F00000-0x00000000057EB000-memory.dmp

memory/4548-58-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4548-60-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4164-67-0x0000000006100000-0x0000000006454000-memory.dmp

memory/4164-71-0x000000006FE90000-0x000000006FEDC000-memory.dmp

memory/4164-72-0x0000000070610000-0x0000000070964000-memory.dmp

memory/4164-82-0x0000000007940000-0x00000000079E3000-memory.dmp

memory/4164-83-0x0000000007C50000-0x0000000007C61000-memory.dmp

memory/5076-84-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4164-85-0x0000000007CA0000-0x0000000007CB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/448-98-0x0000000005A20000-0x0000000005D74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 aaed39d59a7cb868027170e437ca950f
SHA1 bc9cfc2344173a882c67aa36d3f33850f29c1394
SHA256 b037dc8abf41df9ea326330c5e10d5ac458f0e08426d23526c7e42be09da84cd
SHA512 ca30b53e08310c9dd0d12417774ac88a82710bfdcd03a7316c798c1641cebadafac1dbb5101c89926760cdce2b12b09f73d6d05de99ff5d875b2da657d0424f6

memory/448-101-0x000000006FE90000-0x000000006FEDC000-memory.dmp

memory/448-102-0x0000000070010000-0x0000000070364000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f2f96efc2cdc8abdde44da26d1129a10
SHA1 52b16f1a91e98237be344cbc4321384c8ab51402
SHA256 469ebb618e5e51c2ead7c84185babf6843cc9a94ad84d4de047a1381c07c1ee1
SHA512 0f5802b99c2816ee64969934734ca5325e7eb060a5115d5ffe78b0522efe3e3c8f3898b1ff65cac800f0dc29ab7a8a1f7637c1346f3f89e1a9e8148d6dccd279

memory/4616-123-0x000000006FE90000-0x000000006FEDC000-memory.dmp

memory/4616-124-0x0000000070610000-0x0000000070964000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 387fe7531bfac16c30d971892520ba53
SHA1 d8d12ae258523c625cfc1550b2a96ec7cc39d146
SHA256 ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e
SHA512 571cf0da7c5081a2c5088d8586a6c15723f6b3366d29263f3dbb7421a510ff4d260528559faabaf5f005ab03abe5ca02bef6dba7f4863f3f98cd1555a6050898

memory/5076-138-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e20a7c1103b1e987928b8cd404d62466
SHA1 b8fd37845085e1783200e96aab040e263b29fd3e
SHA256 e0659f7f3f75370a756162052aa87e682600bb304545ca88a1d4b2ec4a81897d
SHA512 6fc5ab63d6ab96f9e30172964365eac5765f0753f7a33eb157857d48ab7785a4084b2a1b07c1a575c4949dc6d790214427b2167eb867673418027aa8e36ff90e

memory/3808-152-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3632-153-0x000000006FE90000-0x000000006FEDC000-memory.dmp

memory/3632-154-0x0000000070610000-0x0000000070964000-memory.dmp

memory/4188-174-0x0000000005E70000-0x00000000061C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b3090957482135d8a44b93554e488bde
SHA1 b0e3eb47874da306f9f1b6abe76e0ba8726402cb
SHA256 a163a041be9c50480e16edee2440bc28e8a4094a15fd583e798442c7bfaaf5f3
SHA512 2bf6a05fed5df81e8bff6c1e54bfd13fd48fce689e090e9091019577821376972f75319fe3ec2185bfed102fe649a498cffb48da68ceb3e2d61f7c025d700d76

memory/4188-176-0x0000000006580000-0x00000000065CC000-memory.dmp

memory/4188-177-0x000000006FDB0000-0x000000006FDFC000-memory.dmp

memory/4188-178-0x0000000070540000-0x0000000070894000-memory.dmp

memory/4188-188-0x0000000007790000-0x0000000007833000-memory.dmp

memory/4188-189-0x0000000006310000-0x0000000006321000-memory.dmp

memory/4188-190-0x0000000006350000-0x0000000006364000-memory.dmp

memory/2680-201-0x0000000005F30000-0x0000000006284000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8e59f186a145d62348a9303ddbf6b926
SHA1 74b6a2501cf4b85763f5bdbaf8166fe299697b8f
SHA256 fcb2ad5d4c0694d964c1fbaeecc17b941fcf271c5754040665f32d38708600b3
SHA512 44e4d4c6f8870af60fdc00b54466d4360268bad9b1d539050519b2c06f2972b8400327fa2c353c1064b20e591297a4045c39af1b64f3d3e6b8c2b303c0e1fafa

memory/2680-204-0x000000006FF30000-0x0000000070284000-memory.dmp

memory/2680-203-0x000000006FDB0000-0x000000006FDFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3808-221-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/880-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/880-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3808-231-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/5096-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3808-234-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3808-237-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/5096-239-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3808-240-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3808-243-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3808-246-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3808-249-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3808-252-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3808-255-0x0000000000400000-0x0000000002ED5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:28

Reported

2024-05-09 19:31

Platform

win11-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2672 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2672 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\system32\cmd.exe
PID 4756 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\system32\cmd.exe
PID 3332 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3332 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4756 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\rss\csrss.exe
PID 4756 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\rss\csrss.exe
PID 4756 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe C:\Windows\rss\csrss.exe
PID 2732 wrote to memory of 612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2176 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2176 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2176 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2616 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2616 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2616 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 3816 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2732 wrote to memory of 3816 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4056 wrote to memory of 564 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 564 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 564 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 564 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 564 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe

"C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe

"C:\Users\Admin\AppData\Local\Temp\ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 33ccd55a-af42-4ce9-b042-1b4bb6c3d2e4.uuid.localstats.org udp
US 8.8.8.8:53 server7.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.111:443 server7.localstats.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server7.localstats.org tcp
IE 52.111.236.22:443 tcp
BG 185.82.216.111:443 server7.localstats.org tcp

Files

memory/2672-1-0x00000000033A0000-0x000000000379D000-memory.dmp

memory/2672-2-0x0000000005040000-0x000000000592B000-memory.dmp

memory/2672-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/540-4-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

memory/540-5-0x00000000029E0000-0x0000000002A16000-memory.dmp

memory/540-6-0x0000000005580000-0x0000000005BAA000-memory.dmp

memory/540-7-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/540-8-0x0000000005470000-0x0000000005492000-memory.dmp

memory/540-10-0x0000000005CB0000-0x0000000005D16000-memory.dmp

memory/540-9-0x0000000005510000-0x0000000005576000-memory.dmp

memory/540-12-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/540-11-0x0000000005D20000-0x0000000006077000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dzh1bsep.zpz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/540-21-0x0000000006210000-0x000000000622E000-memory.dmp

memory/540-22-0x0000000006240000-0x000000000628C000-memory.dmp

memory/540-23-0x0000000006770000-0x00000000067B6000-memory.dmp

memory/540-24-0x0000000007610000-0x0000000007644000-memory.dmp

memory/540-25-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/540-26-0x0000000071070000-0x00000000713C7000-memory.dmp

memory/540-35-0x0000000007670000-0x000000000768E000-memory.dmp

memory/540-36-0x0000000007690000-0x0000000007734000-memory.dmp

memory/540-38-0x00000000077C0000-0x00000000077DA000-memory.dmp

memory/540-37-0x0000000007E00000-0x000000000847A000-memory.dmp

memory/540-39-0x0000000007800000-0x000000000780A000-memory.dmp

memory/540-41-0x0000000007910000-0x00000000079A6000-memory.dmp

memory/540-42-0x0000000007820000-0x0000000007831000-memory.dmp

memory/2672-40-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/540-43-0x0000000007870000-0x000000000787E000-memory.dmp

memory/540-44-0x0000000007880000-0x0000000007895000-memory.dmp

memory/540-45-0x00000000078D0000-0x00000000078EA000-memory.dmp

memory/540-46-0x00000000078F0000-0x00000000078F8000-memory.dmp

memory/540-49-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/2672-51-0x00000000033A0000-0x000000000379D000-memory.dmp

memory/2672-53-0x0000000005040000-0x000000000592B000-memory.dmp

memory/2672-52-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1420-62-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/1420-63-0x0000000071070000-0x00000000713C7000-memory.dmp

memory/1420-72-0x0000000007AA0000-0x0000000007B44000-memory.dmp

memory/1420-73-0x0000000007DD0000-0x0000000007DE1000-memory.dmp

memory/1420-74-0x0000000007E00000-0x0000000007E15000-memory.dmp

memory/2672-76-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4756-75-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 844ed984bb2cc043a00711548996b476
SHA1 4db69a34573701bd1939ba05c09c728742e1940a
SHA256 b9c6705cafc3f4dcfa818b54963619f6080d1a16775464cf355d9407c294699b
SHA512 ac52317ce0f6f3a876a88f782d7a53f346e7934b69f21ecfb068697b551274ef7719535a886ae0acce84efe84ab02774c800a01fc141c184fd9a02d23a4001e5

memory/3044-89-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/3044-90-0x0000000071070000-0x00000000713C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b530519eddb6b9b91ecfdd999bcab41d
SHA1 8ab07331e97086b2e9c3fcd994b605ce0993a22f
SHA256 de1dbed2b15ccd0cdc71c5b8f7bada57f031c19cde62950516e2d93379c626c0
SHA512 d170f706f875d8d4af5d58e034d5d6f55dc67a3a6d41dc422640916822196b02eda2a6bec73493955db849f091ba5edc69486fa4e885094ccdaafc36187b7e4f

memory/2724-111-0x0000000071070000-0x00000000713C7000-memory.dmp

memory/2724-110-0x0000000070E20000-0x0000000070E6C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 387fe7531bfac16c30d971892520ba53
SHA1 d8d12ae258523c625cfc1550b2a96ec7cc39d146
SHA256 ee2379552dfa15ba3ad43d75425ac00626db3c41cd26b3106f6d26f4d5d5299e
SHA512 571cf0da7c5081a2c5088d8586a6c15723f6b3366d29263f3dbb7421a510ff4d260528559faabaf5f005ab03abe5ca02bef6dba7f4863f3f98cd1555a6050898

memory/4756-124-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2732-128-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/612-137-0x0000000005720000-0x0000000005A77000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 aad172716ed2d81b03df871307b1c3c8
SHA1 fa56d474958cf36d0a00b014ee7216271fb7e47e
SHA256 aec4e2c9f1e1e55229d89f290947cbb06d16666ce8a7c2bb7ab781330c9a64f3
SHA512 15b9118a6d1b49838366e95cc311eb12fc67373ffb6955784adc5d0dcf12878d05938411a13819b3756d5e2b787d46cc0aeaa99cf85ccc999335cc7200e2cf27

memory/612-139-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/612-140-0x0000000070FC0000-0x0000000071317000-memory.dmp

memory/2176-158-0x0000000005AD0000-0x0000000005E27000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9c380308f085d046e7d469342a12ca2c
SHA1 300117d651afb6062bb07e42a70fa2f6919cc3e6
SHA256 9d220c9052d753a6a7f41648683e5d7ec7399c3155de00075d9edae2cf6aabe4
SHA512 eb73dffa1ac1712ac2f56ff6881f9644af325edcdfad855d0d865e7ff9c5bbf8b70326e24ce3947bd5e7fde1b93c2934d2467af733e59c9dd331eeb6dfad1267

memory/2176-160-0x0000000006050000-0x000000000609C000-memory.dmp

memory/2176-161-0x0000000070D40000-0x0000000070D8C000-memory.dmp

memory/2176-162-0x0000000070EC0000-0x0000000071217000-memory.dmp

memory/2176-171-0x0000000007230000-0x00000000072D4000-memory.dmp

memory/2176-172-0x00000000075C0000-0x00000000075D1000-memory.dmp

memory/2176-173-0x0000000005960000-0x0000000005975000-memory.dmp

memory/2616-176-0x0000000005E90000-0x00000000061E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 20858b077bdcea490f8ef1bb39ff37ac
SHA1 59b66457b6abda1885f1844da8e2845a53627f08
SHA256 645b13cd332a7383881d30c184dc130c0996779342c7be38683b1074284e910e
SHA512 438d57093351c8b564ba75d25b015e29720153a18cb7a580253a3395cf55e0eb031f17c9d076053ef30a51187c4199e9428f603413e0554777129fe152cbd4d6

memory/2616-187-0x0000000070F90000-0x00000000712E7000-memory.dmp

memory/2616-186-0x0000000070D40000-0x0000000070D8C000-memory.dmp

memory/2732-197-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4056-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/568-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4056-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2732-210-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/568-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2732-215-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2732-218-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/568-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2732-221-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2732-224-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2732-227-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2732-230-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2732-233-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2732-236-0x0000000000400000-0x0000000002ED5000-memory.dmp