Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-xz9g1aaf2s
Target e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1
SHA256 e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1

Threat Level: Known bad

The file e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:18

Reported

2024-05-09 19:21

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1004 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1004 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1004 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\system32\cmd.exe
PID 816 wrote to memory of 1468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 816 wrote to memory of 1468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3228 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3228 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\rss\csrss.exe
PID 3228 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\rss\csrss.exe
PID 3228 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\rss\csrss.exe
PID 1376 wrote to memory of 3940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 3940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 3940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 3888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 3888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 3888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 4508 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 4508 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 4508 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 3736 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1376 wrote to memory of 3736 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4812 wrote to memory of 2464 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 2464 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 2464 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2464 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2464 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe

"C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3628,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe

"C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
BE 2.17.196.74:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 74.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4ac6b0e6-b4c7-4fdf-8153-47f54c705e05.uuid.alldatadump.org udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server4.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.108:443 server4.alldatadump.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server4.alldatadump.org tcp
BG 185.82.216.108:443 server4.alldatadump.org tcp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp
BG 185.82.216.108:443 server4.alldatadump.org tcp

Files

memory/1004-1-0x00000000033B0000-0x00000000037B0000-memory.dmp

memory/1004-2-0x0000000005050000-0x000000000593B000-memory.dmp

memory/1004-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1952-4-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

memory/1952-5-0x0000000004860000-0x0000000004896000-memory.dmp

memory/1952-6-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/1952-7-0x0000000004F00000-0x0000000005528000-memory.dmp

memory/1952-9-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/1004-8-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1952-10-0x0000000004D60000-0x0000000004D82000-memory.dmp

memory/1952-11-0x0000000005760000-0x00000000057C6000-memory.dmp

memory/1952-12-0x00000000057D0000-0x0000000005836000-memory.dmp

memory/1952-13-0x0000000005840000-0x0000000005B94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jwsxbcb3.yyq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1952-23-0x0000000005E30000-0x0000000005E4E000-memory.dmp

memory/1952-24-0x0000000005E60000-0x0000000005EAC000-memory.dmp

memory/1952-25-0x00000000063B0000-0x00000000063F4000-memory.dmp

memory/1952-26-0x0000000006F40000-0x0000000006FB6000-memory.dmp

memory/1952-27-0x0000000007640000-0x0000000007CBA000-memory.dmp

memory/1952-28-0x0000000006FE0000-0x0000000006FFA000-memory.dmp

memory/1952-29-0x00000000073A0000-0x00000000073D2000-memory.dmp

memory/1952-30-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/1952-31-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/1952-32-0x00000000712C0000-0x0000000071614000-memory.dmp

memory/1952-42-0x00000000073E0000-0x00000000073FE000-memory.dmp

memory/1952-43-0x0000000007400000-0x00000000074A3000-memory.dmp

memory/1952-44-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/1952-45-0x00000000074F0000-0x00000000074FA000-memory.dmp

memory/1952-46-0x0000000007CC0000-0x0000000007D56000-memory.dmp

memory/1952-47-0x0000000007500000-0x0000000007511000-memory.dmp

memory/1952-48-0x0000000007540000-0x000000000754E000-memory.dmp

memory/1952-49-0x0000000007560000-0x0000000007574000-memory.dmp

memory/1952-50-0x00000000075A0000-0x00000000075BA000-memory.dmp

memory/1952-51-0x0000000007590000-0x0000000007598000-memory.dmp

memory/1952-54-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/1004-57-0x00000000033B0000-0x00000000037B0000-memory.dmp

memory/1004-56-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1004-58-0x0000000005050000-0x000000000593B000-memory.dmp

memory/1004-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2464-69-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/2464-70-0x00000000712C0000-0x0000000071614000-memory.dmp

memory/2464-80-0x00000000070E0000-0x0000000007183000-memory.dmp

memory/2464-82-0x0000000007410000-0x0000000007421000-memory.dmp

memory/3228-81-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2464-83-0x0000000007460000-0x0000000007474000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3004-96-0x0000000006420000-0x0000000006774000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 864a9872e1a5f7f3ce6b25f3cc3121fe
SHA1 f2ea27bd65e9aa5de9a2e53473103280161c4c32
SHA256 5c0ea88251f488ec5f6db91ed8beed75e56857b53a374f08d7af2eb633c2832e
SHA512 4a3b7799d271460e98765fc4c3ce9d330bd75a5f90fab2792601efe319ba1d70fab7d142328a7c7bda99d987f4d096dad8e3a90a4811e06bdaf1c000f0922d8d

memory/3004-99-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/3004-100-0x0000000070CC0000-0x0000000071014000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 06c95d40e8db9c1374476eca8c725f73
SHA1 6fbff874e75efbd9253bd64a39038609b457e919
SHA256 f2aa29012521f4f75e20c13875d7f7d626c31ba3b404277d9f5ae191e813f29f
SHA512 3cbc229b28adcdf9ab83736ddba5fa1ff5f16cef607039b5a47eeecb3d8d3879f0bd42cd3b5bada39c61497ca4397b318b8584090b0ee0518c815620a2ac9f0d

memory/2144-121-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/2144-122-0x0000000070CC0000-0x0000000071014000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 dee362007009b1225368f3ee43f5d978
SHA1 e478b2a57e1a3db831e2e188c1ce417b7d6f197c
SHA256 e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1
SHA512 67d8b1d309657225c71253b9188f7bbe43f7976d23e76af2fb997edf37ee1c1683dce85da8740a4bfc435463447dfa17a4d6f539c463cc777a99c6a283785c8e

memory/3228-136-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a37b752c4ee834d1dcd5ab3ca268d4d9
SHA1 38923fd68ad7db7181f9afa14ef81e07b91f5f89
SHA256 5f31ac89fe7e49899c9dcffbbaa4c922717a8e20a3cfa1825c042ccb1c6cf048
SHA512 4e87b2de886ae45a2e85aa662ad85f1f8f998d7dd96e18c36dfb5f27b8a93dad9f9a099944f3da26a1e08222433e8eb482998eae1bf19a07454cde5d78ba0b38

memory/3940-150-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/3940-151-0x00000000712C0000-0x0000000071614000-memory.dmp

memory/3888-171-0x0000000005B20000-0x0000000005E74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 afb94a16e8395386a873308fc2d06804
SHA1 140810083f3637a082f8f3dfe00f84e1fb671de7
SHA256 2bb37c44f9c59539de2b220cbe413395a8a7d920681fc6e0f4c53652602ea445
SHA512 133b65bb3e35637a78ecb482e8c498a63f54f4327a3486c772f9ea0c545baac37a61983dabdcd36bb42db3686f4e63f0fc7744d709cd20b0d93c4f32061b09c5

memory/3888-173-0x0000000006020000-0x000000000606C000-memory.dmp

memory/3888-174-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/3888-175-0x0000000070BE0000-0x0000000070F34000-memory.dmp

memory/3888-185-0x0000000007220000-0x00000000072C3000-memory.dmp

memory/3888-186-0x0000000007580000-0x0000000007591000-memory.dmp

memory/3888-187-0x00000000058F0000-0x0000000005904000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b23fa939cf83697feab7b9f629c71dcd
SHA1 82b0da03ee9738b12eee1acbd10edde3c17f7af8
SHA256 19a0ce11ee60c474412d0b3e54ffff0aed6ace45d133d68fea05868a4a9e48e0
SHA512 568d9e2dc6293730a7960d3448814098f2d39a9e402a4ecbc1fbb47edeeb5745c5706284d7264ddc3930ad6b9a9c49cf244d6009b79da58bcb443d93b3538bf7

memory/4508-201-0x0000000070BE0000-0x0000000070F34000-memory.dmp

memory/4508-200-0x0000000070A60000-0x0000000070AAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1376-217-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4812-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3784-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4812-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1376-228-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3784-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1376-231-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1376-234-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3784-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1376-237-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1376-240-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1376-243-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3784-245-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1376-246-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1376-249-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1376-252-0x0000000000400000-0x0000000002EDD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:18

Reported

2024-05-09 19:21

Platform

win11-20240426-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\system32\cmd.exe
PID 4464 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\system32\cmd.exe
PID 684 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 684 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4464 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\rss\csrss.exe
PID 4464 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\rss\csrss.exe
PID 4464 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe C:\Windows\rss\csrss.exe
PID 2772 wrote to memory of 792 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 792 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 792 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 1288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 1288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 1288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 3428 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2772 wrote to memory of 3428 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3752 wrote to memory of 1992 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 1992 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 1992 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1992 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1992 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe

"C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe

"C:\Users\Admin\AppData\Local\Temp\e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 f5f6fd69-8159-4809-9ac7-191cfceb6f0a.uuid.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server9.alldatadump.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server9.alldatadump.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
BG 185.82.216.108:443 server9.alldatadump.org tcp
N/A 127.0.0.1:3478 udp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.108:443 server9.alldatadump.org tcp

Files

memory/1776-1-0x0000000003390000-0x000000000378A000-memory.dmp

memory/1776-2-0x0000000005030000-0x000000000591B000-memory.dmp

memory/1776-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4052-4-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

memory/4052-5-0x0000000004E50000-0x0000000004E86000-memory.dmp

memory/4052-6-0x0000000005590000-0x0000000005BBA000-memory.dmp

memory/4052-7-0x0000000074A00000-0x00000000751B1000-memory.dmp

memory/4052-8-0x0000000005440000-0x0000000005462000-memory.dmp

memory/4052-9-0x00000000054E0000-0x0000000005546000-memory.dmp

memory/4052-10-0x0000000005DB0000-0x0000000005E16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qfi43emb.tcz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4052-20-0x0000000005E20000-0x0000000006177000-memory.dmp

memory/4052-19-0x0000000074A00000-0x00000000751B1000-memory.dmp

memory/4052-21-0x0000000006300000-0x000000000631E000-memory.dmp

memory/4052-22-0x00000000063A0000-0x00000000063EC000-memory.dmp

memory/4052-23-0x0000000006870000-0x00000000068B6000-memory.dmp

memory/4052-24-0x0000000007710000-0x0000000007744000-memory.dmp

memory/4052-25-0x0000000070C70000-0x0000000070CBC000-memory.dmp

memory/4052-26-0x0000000070E80000-0x00000000711D7000-memory.dmp

memory/4052-35-0x0000000007770000-0x000000000778E000-memory.dmp

memory/4052-36-0x0000000007790000-0x0000000007834000-memory.dmp

memory/4052-37-0x0000000007F00000-0x000000000857A000-memory.dmp

memory/4052-38-0x00000000078C0000-0x00000000078DA000-memory.dmp

memory/4052-39-0x0000000007900000-0x000000000790A000-memory.dmp

memory/4052-40-0x0000000007A10000-0x0000000007AA6000-memory.dmp

memory/4052-41-0x0000000007920000-0x0000000007931000-memory.dmp

memory/4052-42-0x0000000007970000-0x000000000797E000-memory.dmp

memory/4052-43-0x0000000007980000-0x0000000007995000-memory.dmp

memory/4052-44-0x00000000079D0000-0x00000000079EA000-memory.dmp

memory/4052-45-0x00000000079F0000-0x00000000079F8000-memory.dmp

memory/4052-48-0x0000000074A00000-0x00000000751B1000-memory.dmp

memory/1776-50-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3752-59-0x0000000005E10000-0x0000000006167000-memory.dmp

memory/3752-60-0x0000000070C70000-0x0000000070CBC000-memory.dmp

memory/3752-61-0x0000000070EA0000-0x00000000711F7000-memory.dmp

memory/3752-70-0x0000000007550000-0x00000000075F4000-memory.dmp

memory/3752-71-0x0000000007870000-0x0000000007881000-memory.dmp

memory/1776-72-0x0000000003390000-0x000000000378A000-memory.dmp

memory/3752-73-0x00000000078C0000-0x00000000078D5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2000-85-0x0000000005710000-0x0000000005A67000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 497873df6bba8d1f7390d8abd2602b17
SHA1 9ae4cd1ee1bd3917c0e8e8600c2a753b8b9e0a9d
SHA256 b7722f936cf38bdffe5c0fa83b0f7ad46261c3820c53d1887f397b026bbadab2
SHA512 4cea03e9108403163dfcc536535c844030ad7a08571dd8f6dda226a4932cb71b509a371e651b04d3f85b06c559fb74256e3050bf95fa61a9d22c90452f018f44

memory/2000-88-0x0000000070C70000-0x0000000070CBC000-memory.dmp

memory/2000-90-0x0000000070EC0000-0x0000000071217000-memory.dmp

memory/1776-99-0x0000000005030000-0x000000000591B000-memory.dmp

memory/4464-89-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2896-109-0x0000000005E40000-0x0000000006197000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bf9aa174a08388bc7c28ccaa9ed0eb4a
SHA1 9c73a04ce12d3bcebd11093393dae4db14c0f901
SHA256 3cf56d0a08d858b2dd1eabd4cd91b1dc7f7a651ba993663186cfea48d59bc36a
SHA512 701cb559d622abf478267912f007d973d5c3989c6d7edb28d5a32063e9b7130a6f691aeda4fcad16aac1e46db241ea0ab1597d959c7d6ced5423ccf40d853276

memory/2896-112-0x0000000070DF0000-0x0000000071147000-memory.dmp

memory/2896-111-0x0000000070C70000-0x0000000070CBC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 dee362007009b1225368f3ee43f5d978
SHA1 e478b2a57e1a3db831e2e188c1ce417b7d6f197c
SHA256 e5abf996f36ed6a82e19c80efc9dcf594166577caed14569c14c8dee1ed3c4b1
SHA512 67d8b1d309657225c71253b9188f7bbe43f7976d23e76af2fb997edf37ee1c1683dce85da8740a4bfc435463447dfa17a4d6f539c463cc777a99c6a283785c8e

memory/1776-127-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4464-129-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f7eda1f85416c778025504e5d0fe0e4d
SHA1 639fdb726c10c68dabb18cd5a2438016d26c1167
SHA256 0b4caf94a49f63bc771da521f92f2a705eb24e822261a3ca34c17a69d0f26284
SHA512 64c4fff12febe5647702887a85126d664fabb6d5e255e9e800a5d202eb1803a22ac091e4be686e550daeeaecb3f36f8113f4fed98fbfe2681f75a697380d4430

memory/792-139-0x0000000070C70000-0x0000000070CBC000-memory.dmp

memory/792-140-0x0000000070EC0000-0x0000000071217000-memory.dmp

memory/2392-152-0x00000000062D0000-0x0000000006627000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d3b06ab0811ab6e55f556341b0caec72
SHA1 dd647e07b2861a100982fab4806a63e6df8efd89
SHA256 1fe58640f167fa3d67ae428c2fd1c3910f35b9b33324390f2ff97e17b782023c
SHA512 ae9a0442095ad92ebf4d613d3caf26d9ba4624f1c17a57488a94dcf265c7f5f7493c758bdcc53f70dd20f71e6d3dcfa09fe9e47d0e9d40c46991a1fbe565ff51

memory/2392-160-0x00000000068B0000-0x00000000068FC000-memory.dmp

memory/2392-161-0x0000000070B90000-0x0000000070BDC000-memory.dmp

memory/2392-162-0x0000000070DE0000-0x0000000071137000-memory.dmp

memory/2392-171-0x0000000007AD0000-0x0000000007B74000-memory.dmp

memory/2392-172-0x0000000007E10000-0x0000000007E21000-memory.dmp

memory/2392-174-0x0000000006650000-0x0000000006665000-memory.dmp

memory/2772-173-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1288-184-0x0000000005850000-0x0000000005BA7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2b923a581841b72f8819aeca3de4c26c
SHA1 95e54cebdb390a0c9f7538a3d2710d0a0a9e8ea8
SHA256 565688346950dc2accece75129dee6e924e1fc8d1e323d1c65a74bb9e90155c4
SHA512 9057da380c201c5397ca98a9c5173a3a558b55ddb89231e221abf1a8f0373e995eeff79ead31d85f8736520a4ff549db073aade73553ca2fae313796f1c23333

memory/1288-186-0x0000000070B90000-0x0000000070BDC000-memory.dmp

memory/1288-187-0x0000000070DA0000-0x00000000710F7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2772-204-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3752-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1300-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3752-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2772-216-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1300-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2772-220-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2772-224-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1300-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2772-228-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2772-232-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2772-236-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2772-240-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2772-244-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2772-248-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2772-252-0x0000000000400000-0x0000000002EDD000-memory.dmp