Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-ydek6sec44
Target 335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50
SHA256 335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50

Threat Level: Known bad

The file 335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:39

Reported

2024-05-09 19:42

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4372 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\system32\cmd.exe
PID 540 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 540 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1808 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\rss\csrss.exe
PID 1808 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\rss\csrss.exe
PID 1808 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\rss\csrss.exe
PID 4088 wrote to memory of 2668 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 2668 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 2668 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 3972 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 3972 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 3972 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 2580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 2580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 2580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 3144 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4088 wrote to memory of 3144 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3968 wrote to memory of 2248 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 2248 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 2248 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2248 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2248 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe

"C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe

"C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
BE 2.17.196.105:443 www.bing.com tcp
US 8.8.8.8:53 105.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 5f08aacf-a14a-4846-85eb-5e0a5d73d097.uuid.statscreate.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server2.statscreate.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
BG 185.82.216.96:443 server2.statscreate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server2.statscreate.org tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
BG 185.82.216.96:443 server2.statscreate.org tcp

Files

memory/4372-1-0x00000000031D0000-0x00000000035CD000-memory.dmp

memory/4372-2-0x0000000004F70000-0x000000000585B000-memory.dmp

memory/4372-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2532-4-0x000000007447E000-0x000000007447F000-memory.dmp

memory/2532-5-0x0000000004C10000-0x0000000004C46000-memory.dmp

memory/2532-6-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/2532-7-0x0000000005330000-0x0000000005958000-memory.dmp

memory/2532-8-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/2532-9-0x0000000005220000-0x0000000005242000-memory.dmp

memory/2532-10-0x0000000005B40000-0x0000000005BA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o2fodxfl.fr3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2532-11-0x0000000005BB0000-0x0000000005C16000-memory.dmp

memory/2532-17-0x0000000005C20000-0x0000000005F74000-memory.dmp

memory/2532-22-0x0000000006200000-0x000000000621E000-memory.dmp

memory/2532-23-0x0000000006280000-0x00000000062CC000-memory.dmp

memory/2532-24-0x0000000006730000-0x0000000006774000-memory.dmp

memory/2532-25-0x0000000007500000-0x0000000007576000-memory.dmp

memory/2532-26-0x0000000007C00000-0x000000000827A000-memory.dmp

memory/2532-27-0x00000000075A0000-0x00000000075BA000-memory.dmp

memory/2532-29-0x0000000007760000-0x0000000007792000-memory.dmp

memory/2532-30-0x0000000070310000-0x000000007035C000-memory.dmp

memory/2532-31-0x0000000070A50000-0x0000000070DA4000-memory.dmp

memory/2532-41-0x00000000077A0000-0x00000000077BE000-memory.dmp

memory/2532-42-0x00000000077C0000-0x0000000007863000-memory.dmp

memory/2532-43-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/2532-44-0x00000000078B0000-0x00000000078BA000-memory.dmp

memory/4372-28-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2532-45-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/2532-46-0x0000000007990000-0x0000000007A26000-memory.dmp

memory/2532-47-0x00000000078F0000-0x0000000007901000-memory.dmp

memory/2532-48-0x0000000007930000-0x000000000793E000-memory.dmp

memory/2532-49-0x0000000007940000-0x0000000007954000-memory.dmp

memory/2532-50-0x0000000007A30000-0x0000000007A4A000-memory.dmp

memory/2532-51-0x0000000007970000-0x0000000007978000-memory.dmp

memory/2532-54-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/4372-56-0x00000000031D0000-0x00000000035CD000-memory.dmp

memory/4372-57-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4372-58-0x0000000004F70000-0x000000000585B000-memory.dmp

memory/2320-68-0x0000000005740000-0x0000000005A94000-memory.dmp

memory/2320-69-0x0000000070310000-0x000000007035C000-memory.dmp

memory/2320-70-0x0000000070A90000-0x0000000070DE4000-memory.dmp

memory/2320-80-0x0000000006F90000-0x0000000007033000-memory.dmp

memory/4372-82-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1808-81-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2320-83-0x00000000072A0000-0x00000000072B1000-memory.dmp

memory/2320-84-0x0000000007310000-0x0000000007324000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2340-97-0x0000000005700000-0x0000000005A54000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bca3e987e369893965a7d76c41f98e75
SHA1 696bd4776cb85ed56958fe04923c7dacdc18ca2b
SHA256 9a882e7adc21e342e22ea6b9517ebf7fc1283a40580eda16be9d918484960600
SHA512 259615932ebb9bc2c1399148ae7d07fcba3e0ff440cf9d10be7b3b6d988ac0d232886a52376446f884cbcf9e5810aa07f10fa0d6a5508ec2e16f7fd04746d324

memory/2340-99-0x0000000070310000-0x000000007035C000-memory.dmp

memory/2340-100-0x0000000070490000-0x00000000707E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fc591456b4656cc22eaea719e91f620b
SHA1 e81b1bf5d42659c44e9f684dff7a05ae77885e77
SHA256 82541361248ca3de78bdf3fe3408051990ece692ee9052bc47600d8ffa0a15fe
SHA512 1334c5b476c52c69c9bd104ef44e51f4b38eb42e637c0269e9a5b2ad93ee7cc722ba1d2334dd42a88ca75f81dc17464b99fc3b98c1a8e834bb2ec9a5b9f80227

memory/116-121-0x0000000070310000-0x000000007035C000-memory.dmp

memory/116-123-0x0000000070A90000-0x0000000070DE4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 61f1436c6447d03f9eeea773221b2f4a
SHA1 2999adf3d0415844a19cdc3985ae8395b2f01336
SHA256 335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50
SHA512 f1787790a07ba58a31fd988c1851d5207e02fdc2092c997107babe3dd3e073a39c0baf8780bce6d2a7258ed9ccc7adf78cbd30d76a891bdb7733ec64dcca3fb7

memory/1808-137-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f5c3ea94d78cb80317a5ad7bd3251bda
SHA1 cc800b9917894ea5f9b37a26c5c684a949c9f90a
SHA256 48f063cd6b914e6f56ae632d48c8a4c8aa988ed94809614b5033093c0c8f3821
SHA512 485cfaee81fcb53e30cac74b95ae06aafe6ca0d1bd12750d2deeb12bfc41f65d374880af6fd4cf5125ffb9b70596cbcc435e7b9f68963178ff15abc4cea69f8d

memory/2668-151-0x0000000070310000-0x000000007035C000-memory.dmp

memory/2668-152-0x0000000070A90000-0x0000000070DE4000-memory.dmp

memory/4088-162-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3972-173-0x00000000056E0000-0x0000000005A34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3eaa19154cdf1bbe86b76f6b320a2ec7
SHA1 38229f5884627cce6eba051227d8a732b60e2a13
SHA256 9093a545a1bd01b094d8bb2e2a01b602f23d697b76ff9a74285155eaa9748b01
SHA512 15b6bb8b953a14acb7e2900b84022878db0b81666fffda191c305c455f833f2ffeacef6a016a65ba8122fd1c264c8bafb9796d057ba9a83c4155e8a18b80f2f1

memory/3972-175-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

memory/3972-176-0x0000000070230000-0x000000007027C000-memory.dmp

memory/3972-177-0x00000000703B0000-0x0000000070704000-memory.dmp

memory/3972-187-0x0000000006EC0000-0x0000000006F63000-memory.dmp

memory/3972-188-0x0000000007200000-0x0000000007211000-memory.dmp

memory/3972-190-0x0000000005A60000-0x0000000005A74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e7d5ec1b31f087810fade53da6ea1012
SHA1 9f9ee5ded14da087d81564831a6ce89f384348bb
SHA256 29e7c41482851ee1aab4dbf46064517ada463b139153c75739ebed870bdb9990
SHA512 0e8595306f77564da7644b6b17ea4f23afb5867738ed4e86de5b793353d69ff568be873ac9f16b5e197678a5d2698b8ee4ab2187cc298a951a62a3dfcf83a7d6

memory/2580-202-0x0000000070230000-0x000000007027C000-memory.dmp

memory/2580-203-0x00000000703B0000-0x0000000070704000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4088-219-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3968-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2340-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3968-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4088-229-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2340-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4088-231-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4088-234-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2340-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4088-237-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4088-241-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4088-243-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2340-247-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4088-246-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4088-249-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4088-253-0x0000000000400000-0x0000000002ED5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:39

Reported

2024-05-09 19:42

Platform

win11-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\system32\cmd.exe
PID 3740 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\system32\cmd.exe
PID 4120 wrote to memory of 240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4120 wrote to memory of 240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3740 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3740 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\rss\csrss.exe
PID 3740 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\rss\csrss.exe
PID 3740 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe C:\Windows\rss\csrss.exe
PID 2448 wrote to memory of 3276 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2448 wrote to memory of 3276 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2448 wrote to memory of 3276 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2448 wrote to memory of 1864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2448 wrote to memory of 1864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2448 wrote to memory of 1864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2448 wrote to memory of 1860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2448 wrote to memory of 1860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2448 wrote to memory of 1860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2448 wrote to memory of 3884 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2448 wrote to memory of 3884 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2276 wrote to memory of 1136 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 1136 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 1136 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1136 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1136 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe

"C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe

"C:\Users\Admin\AppData\Local\Temp\335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 3ef151a8-c130-462f-a374-75ac3b713e0b.uuid.statscreate.org udp
US 8.8.8.8:53 server1.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.96:443 server1.statscreate.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server1.statscreate.org tcp
BG 185.82.216.96:443 server1.statscreate.org tcp

Files

memory/2720-1-0x0000000003410000-0x0000000003816000-memory.dmp

memory/2720-2-0x00000000050C0000-0x00000000059AB000-memory.dmp

memory/2720-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4252-4-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

memory/4252-5-0x0000000002B00000-0x0000000002B36000-memory.dmp

memory/4252-7-0x00000000053F0000-0x0000000005A1A000-memory.dmp

memory/4252-6-0x0000000074CE0000-0x0000000075491000-memory.dmp

memory/4252-8-0x0000000074CE0000-0x0000000075491000-memory.dmp

memory/4252-9-0x0000000005200000-0x0000000005222000-memory.dmp

memory/4252-10-0x0000000005A20000-0x0000000005A86000-memory.dmp

memory/4252-11-0x0000000005A90000-0x0000000005AF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wrocxgg1.3fq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4252-20-0x0000000005B00000-0x0000000005E57000-memory.dmp

memory/4252-21-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

memory/4252-22-0x0000000005FF0000-0x000000000603C000-memory.dmp

memory/4252-23-0x0000000006530000-0x0000000006576000-memory.dmp

memory/4252-24-0x00000000073C0000-0x00000000073F4000-memory.dmp

memory/4252-25-0x0000000070F50000-0x0000000070F9C000-memory.dmp

memory/4252-26-0x0000000071120000-0x0000000071477000-memory.dmp

memory/4252-35-0x0000000007420000-0x000000000743E000-memory.dmp

memory/4252-36-0x0000000007440000-0x00000000074E4000-memory.dmp

memory/2720-37-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4252-39-0x0000000007570000-0x000000000758A000-memory.dmp

memory/4252-38-0x0000000007BB0000-0x000000000822A000-memory.dmp

memory/4252-40-0x00000000075B0000-0x00000000075BA000-memory.dmp

memory/4252-41-0x0000000007670000-0x0000000007706000-memory.dmp

memory/4252-42-0x00000000075E0000-0x00000000075F1000-memory.dmp

memory/4252-43-0x0000000007620000-0x000000000762E000-memory.dmp

memory/4252-44-0x0000000007630000-0x0000000007645000-memory.dmp

memory/4252-45-0x0000000007730000-0x000000000774A000-memory.dmp

memory/4252-46-0x0000000007710000-0x0000000007718000-memory.dmp

memory/4252-49-0x0000000074CE0000-0x0000000075491000-memory.dmp

memory/2720-51-0x0000000003410000-0x0000000003816000-memory.dmp

memory/2720-52-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3804-61-0x0000000005B00000-0x0000000005E57000-memory.dmp

memory/3804-62-0x0000000070F50000-0x0000000070F9C000-memory.dmp

memory/3804-63-0x0000000071160000-0x00000000714B7000-memory.dmp

memory/3804-72-0x0000000007270000-0x0000000007314000-memory.dmp

memory/3804-73-0x00000000075A0000-0x00000000075B1000-memory.dmp

memory/3804-74-0x00000000075F0000-0x0000000007605000-memory.dmp

memory/2720-76-0x00000000050C0000-0x00000000059AB000-memory.dmp

memory/3740-75-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/804-88-0x0000000005AA0000-0x0000000005DF7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3f37311268fa88c0b0303cb044a8044b
SHA1 a2cfefcdbf919145e574f1dc94ec7915951c15eb
SHA256 3476294f2b8f41b6b33d308f3c056eb01393a218d56272ed2ce158b4e95c10ea
SHA512 b8b5609d3c75c2f0797702582e6755c1378bee37c967165b2cfc8f1ea7bec8c428220ab44e9de44a4280fb7344a772d1799bd886bcc595c43d2cb0dc38f06158

memory/804-90-0x0000000070F50000-0x0000000070F9C000-memory.dmp

memory/804-91-0x00000000711C0000-0x0000000071517000-memory.dmp

memory/2720-100-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c3ca172e079e0c9da28f3307bf00351e
SHA1 0fe992c6ab70a81ce03800bbd1e1344e6fd8e46a
SHA256 db831b0167aca04db663a538a45281c90dbb1cc15c859da77e19c4d9fe2a1d3c
SHA512 b541b5eacb2354e13347f75f51789a8ad7eeacdfbc4cb1a5651b625098275f9f3ba6abb2c93786a66d5a8680af178e058bb0e214b1bde9fa9c154c9922a727b9

memory/4428-111-0x0000000070F50000-0x0000000070F9C000-memory.dmp

memory/4428-112-0x0000000071160000-0x00000000714B7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 61f1436c6447d03f9eeea773221b2f4a
SHA1 2999adf3d0415844a19cdc3985ae8395b2f01336
SHA256 335e3804c0837ee9ce9db5ef6fd041ff05015598a4e03b71de443425f6ba1c50
SHA512 f1787790a07ba58a31fd988c1851d5207e02fdc2092c997107babe3dd3e073a39c0baf8780bce6d2a7258ed9ccc7adf78cbd30d76a891bdb7733ec64dcca3fb7

memory/3740-128-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3276-138-0x0000000006280000-0x00000000065D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0bb502248cae2f1993ec50184a42d2ba
SHA1 72d4eb0cebaea72138c333e96056bffb4b779166
SHA256 2a8b93a03d79c14e73d9243ff8183b638f0601520170b62d7aa4dbca0313b602
SHA512 ee2dcc206f90f4b88789e7f64c8b6332a9b0d20890cd27bb2f09e3801d3bdce7c1fa080d0758c088e2d15081d451324e4a3e64c938283fb2adc8d676b58b4b39

memory/3276-141-0x00000000710D0000-0x0000000071427000-memory.dmp

memory/3276-140-0x0000000070F50000-0x0000000070F9C000-memory.dmp

memory/1864-160-0x0000000005EA0000-0x00000000061F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 74859b846ceaaedb64fc18e99501ebf9
SHA1 a34e30e749cf2b94128c085bb43b7a811c327bd8
SHA256 27653b0d3a39583caf1c19215777c3578bc01c65ba6e3bdc9867a5d9046b7b61
SHA512 85fe0a4407bb618e2889b6d804d1aefd8901ed6e58c3da3d117d122c621a0f3c69fe4057d721de931b539e6b1bd1e31193c1a04f45fb6c45dcf4c67fb9b1ba12

memory/1864-162-0x0000000006850000-0x000000000689C000-memory.dmp

memory/1864-163-0x0000000070E70000-0x0000000070EBC000-memory.dmp

memory/1864-164-0x0000000070FF0000-0x0000000071347000-memory.dmp

memory/1864-173-0x0000000007580000-0x0000000007624000-memory.dmp

memory/1864-174-0x0000000007900000-0x0000000007911000-memory.dmp

memory/1864-175-0x0000000005C90000-0x0000000005CA5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1feff004693a10518fc9925c1bf1272f
SHA1 7108a20687284fb857a827b219c236b76fe4a07f
SHA256 48627e69af4083cb586c17c8151582430cf06e5af3bfaaf296af0c9ba06cd9fa
SHA512 41cecb9ac720b689632694e08f42d6a81a5a6d083b480087ab4b3ff35e7d2a6bda32102f12849607ed30fc375aeda726c57ccdb80c4f396e6b29dda976898a5a

memory/1860-186-0x0000000070E70000-0x0000000070EBC000-memory.dmp

memory/1860-187-0x0000000070FF0000-0x0000000071347000-memory.dmp

memory/2448-198-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2276-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2276-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2448-214-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3496-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2448-217-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2448-221-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3496-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2448-225-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2448-229-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2448-233-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3496-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2448-237-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2448-241-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2448-245-0x0000000000400000-0x0000000002ED5000-memory.dmp