Malware Analysis Report

2024-12-08 02:05

Sample ID 240516-lq8zbsef6v
Target c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30
SHA256 c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30

Threat Level: Known bad

The file c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 09:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 09:45

Reported

2024-05-16 09:47

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4400 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\system32\cmd.exe
PID 4308 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4308 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1932 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\rss\csrss.exe
PID 1932 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\rss\csrss.exe
PID 1932 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\rss\csrss.exe
PID 2536 wrote to memory of 3156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2536 wrote to memory of 3156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2536 wrote to memory of 3156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2536 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2536 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2536 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2536 wrote to memory of 656 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2536 wrote to memory of 656 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2536 wrote to memory of 656 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2536 wrote to memory of 4804 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2536 wrote to memory of 4804 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3564 wrote to memory of 3400 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 3400 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 3400 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3400 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3400 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe

"C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe

"C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
BE 88.221.83.194:443 www.bing.com tcp
US 8.8.8.8:53 194.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 a21355b5-aee0-4248-bb57-dcf37889b705.uuid.dumppage.org udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 server5.dumppage.org udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server5.dumppage.org tcp
US 15.197.250.192:3478 stun.sipgate.net udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server5.dumppage.org tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
BG 185.82.216.111:443 server5.dumppage.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4400-1-0x0000000002990000-0x0000000002D8A000-memory.dmp

memory/4400-2-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/4400-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4280-4-0x000000007468E000-0x000000007468F000-memory.dmp

memory/4280-5-0x0000000002D10000-0x0000000002D46000-memory.dmp

memory/4280-7-0x00000000054C0000-0x0000000005AE8000-memory.dmp

memory/4280-6-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/4280-8-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/4280-9-0x0000000005B60000-0x0000000005B82000-memory.dmp

memory/4280-11-0x0000000005C70000-0x0000000005CD6000-memory.dmp

memory/4280-10-0x0000000005C00000-0x0000000005C66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oab4cieq.4mc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4280-21-0x0000000005CE0000-0x0000000006034000-memory.dmp

memory/4280-22-0x00000000062D0000-0x00000000062EE000-memory.dmp

memory/4280-23-0x0000000006380000-0x00000000063CC000-memory.dmp

memory/4280-24-0x0000000006830000-0x0000000006874000-memory.dmp

memory/4280-25-0x00000000075F0000-0x0000000007666000-memory.dmp

memory/4280-26-0x0000000007CF0000-0x000000000836A000-memory.dmp

memory/4280-27-0x0000000007690000-0x00000000076AA000-memory.dmp

memory/4280-28-0x0000000007850000-0x0000000007882000-memory.dmp

memory/4280-31-0x0000000070C20000-0x0000000070F74000-memory.dmp

memory/4280-30-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/4280-29-0x0000000070520000-0x000000007056C000-memory.dmp

memory/4280-41-0x0000000007890000-0x00000000078AE000-memory.dmp

memory/4280-42-0x00000000078B0000-0x0000000007953000-memory.dmp

memory/4280-43-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/4280-44-0x00000000079A0000-0x00000000079AA000-memory.dmp

memory/4280-45-0x0000000007AB0000-0x0000000007B46000-memory.dmp

memory/4280-46-0x0000000007A10000-0x0000000007A21000-memory.dmp

memory/4280-47-0x00000000079F0000-0x00000000079FE000-memory.dmp

memory/4280-48-0x0000000007A30000-0x0000000007A44000-memory.dmp

memory/4280-49-0x0000000007A80000-0x0000000007A9A000-memory.dmp

memory/4280-50-0x0000000007A70000-0x0000000007A78000-memory.dmp

memory/4280-53-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/1932-55-0x00000000029D0000-0x0000000002DD4000-memory.dmp

memory/1936-65-0x0000000006110000-0x0000000006464000-memory.dmp

memory/1936-66-0x0000000070520000-0x000000007056C000-memory.dmp

memory/1936-67-0x00000000706A0000-0x00000000709F4000-memory.dmp

memory/1936-77-0x0000000007810000-0x00000000078B3000-memory.dmp

memory/4400-78-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4400-79-0x0000000002990000-0x0000000002D8A000-memory.dmp

memory/1936-80-0x0000000007B20000-0x0000000007B31000-memory.dmp

memory/1936-81-0x0000000007B70000-0x0000000007B84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1412-94-0x0000000005850000-0x0000000005BA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 29ae9e66187e61cd712614605e53a85b
SHA1 70472cae2208ccb454ed2288c1e9836e2da7a35f
SHA256 6dd4a4345bfd333d338335e29935a48298c7c08b0cb4b7ba37f22926dd676bdf
SHA512 9e86a35b22bbeb6b5148f097fc0ad2449efeebe4ecec7934ccd46059e0ba990d090231246284c203d1793e6aad11dd3b6ec53ff813c59db4ae5d01d6141fbc19

memory/4400-96-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/1412-97-0x0000000070520000-0x000000007056C000-memory.dmp

memory/1412-98-0x0000000070CA0000-0x0000000070FF4000-memory.dmp

memory/4776-118-0x0000000005AE0000-0x0000000005E34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dacbefcaf9e3b4ef40bb0f0a95c2c477
SHA1 eaefa32d0a69f635e60acb7a301be8fdae4ff77b
SHA256 2e0d4f05de5dea3ccc78092ab3294514f8e25e95b3f3236781761ab840fcabb6
SHA512 d41b3d1eb27b4dc284106d9ac368df944885d8368967b38b0872d1e1a5dc464cec46b7491c6426042229395e711cc1610511f9dd8aee3eed6e7cfd226598ee11

memory/1932-120-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4776-121-0x0000000070520000-0x000000007056C000-memory.dmp

memory/4776-122-0x00000000708F0000-0x0000000070C44000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6cc4240ac77edb96d20157cbae0b8c9a
SHA1 ea1d34d70f7ba791e4397fdb13b8edb84c98711e
SHA256 c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30
SHA512 97dd1f375d611b98991abf51feb334254f8a6c91baaabf9cd551c9afbd851a8f87a05e5185d402b36a32ecca5f682ec347281e704b61afbefa49216138762bf6

memory/1932-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f1fa7872ae62df916d47274a24d7d596
SHA1 a49fa2b7fe41f861ff9af5fcc0d683c5cda81786
SHA256 70d5f02120f139bff69f17522b6e06e1635105001a9ddf294cb9d262f9c13e12
SHA512 f45d9bcb922a1d896e65863428f559e9dc12690b89650c9268cb3ce54970d0a07c682f30035da979f46c15410be6283802f3c791d6d879d730354499e4805bb6

memory/3156-150-0x0000000070520000-0x000000007056C000-memory.dmp

memory/3156-151-0x00000000706A0000-0x00000000709F4000-memory.dmp

memory/3632-171-0x00000000059C0000-0x0000000005D14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f371adb8daede770971c9f5e4c9f61e1
SHA1 6b9b0d703bc21725187da4b5e302a165c0652852
SHA256 faf5ac0ca23674887d9d17108a71f241f9757701c01896ec1ff295e2e27ad902
SHA512 8f949e94f20e4a09b75dd3167cfd4e80b00a8039a130081480716cc6495cf136c989a8c417121d2fda268791d53393f592d03e31597f4370ed0b6fe77fb28c8d

memory/3632-173-0x0000000006260000-0x00000000062AC000-memory.dmp

memory/3632-174-0x0000000070440000-0x000000007048C000-memory.dmp

memory/3632-175-0x00000000705C0000-0x0000000070914000-memory.dmp

memory/3632-185-0x00000000071E0000-0x0000000007283000-memory.dmp

memory/3632-186-0x00000000074F0000-0x0000000007501000-memory.dmp

memory/3632-187-0x0000000005D60000-0x0000000005D74000-memory.dmp

memory/656-189-0x0000000005AD0000-0x0000000005E24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4025d5de8ca07316af7c7ed8636b678a
SHA1 772d5ef04c05370130955d2966ba0dc684329757
SHA256 f7eae5a881fc5d8905002520a923758819984c4070966a77293933b20ca13e61
SHA512 b2ce0cf6b85e070a34fe72db2e05b3ad383c1038314b0a2607bb9b685d1c0ccf782e38e15a260ea9874583e077755da5cbcc52d81aeb21314b4d50503a6717a6

memory/656-200-0x0000000070440000-0x000000007048C000-memory.dmp

memory/656-201-0x0000000070BD0000-0x0000000070F24000-memory.dmp

memory/2536-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3564-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3364-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3564-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2536-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2536-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3364-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2536-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2536-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3364-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2536-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2536-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2536-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2536-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2536-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2536-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2536-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 09:45

Reported

2024-05-16 09:47

Platform

win11-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3876 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\system32\cmd.exe
PID 4904 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\system32\cmd.exe
PID 3120 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3120 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4904 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\rss\csrss.exe
PID 4904 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\rss\csrss.exe
PID 4904 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe C:\Windows\rss\csrss.exe
PID 4660 wrote to memory of 4204 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 4204 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 4204 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 2116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 2116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 2116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 1592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 1592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 1592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 1656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4660 wrote to memory of 1656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1016 wrote to memory of 908 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 908 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 908 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 908 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 908 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe

"C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe

"C:\Users\Admin\AppData\Local\Temp\c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 3476d377-3cf2-4068-9945-158142ce5a14.uuid.dumppage.org udp
US 8.8.8.8:53 server9.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.111:443 server9.dumppage.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server9.dumppage.org tcp
BG 185.82.216.111:443 server9.dumppage.org tcp
BG 185.82.216.111:443 server9.dumppage.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/3876-1-0x0000000002A50000-0x0000000002E4F000-memory.dmp

memory/3876-2-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/3876-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1476-4-0x000000007481E000-0x000000007481F000-memory.dmp

memory/1476-5-0x00000000051C0000-0x00000000051F6000-memory.dmp

memory/1476-6-0x0000000005830000-0x0000000005E5A000-memory.dmp

memory/1476-7-0x0000000074810000-0x0000000074FC1000-memory.dmp

memory/1476-8-0x00000000057B0000-0x00000000057D2000-memory.dmp

memory/1476-10-0x0000000006030000-0x0000000006096000-memory.dmp

memory/1476-9-0x0000000005ED0000-0x0000000005F36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vzzk1h2w.nkx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1476-20-0x00000000061A0000-0x00000000064F7000-memory.dmp

memory/1476-19-0x0000000074810000-0x0000000074FC1000-memory.dmp

memory/1476-21-0x0000000006660000-0x000000000667E000-memory.dmp

memory/1476-22-0x0000000006690000-0x00000000066DC000-memory.dmp

memory/1476-23-0x0000000006C00000-0x0000000006C46000-memory.dmp

memory/1476-24-0x0000000007A80000-0x0000000007AB4000-memory.dmp

memory/1476-25-0x0000000070A80000-0x0000000070ACC000-memory.dmp

memory/1476-27-0x0000000070CD0000-0x0000000071027000-memory.dmp

memory/1476-36-0x0000000007AC0000-0x0000000007ADE000-memory.dmp

memory/1476-37-0x0000000007AE0000-0x0000000007B84000-memory.dmp

memory/1476-26-0x0000000074810000-0x0000000074FC1000-memory.dmp

memory/1476-38-0x0000000074810000-0x0000000074FC1000-memory.dmp

memory/1476-40-0x0000000007C10000-0x0000000007C2A000-memory.dmp

memory/1476-39-0x0000000008250000-0x00000000088CA000-memory.dmp

memory/1476-41-0x0000000007C50000-0x0000000007C5A000-memory.dmp

memory/1476-42-0x0000000007D60000-0x0000000007DF6000-memory.dmp

memory/1476-43-0x0000000007C70000-0x0000000007C81000-memory.dmp

memory/1476-44-0x0000000007CC0000-0x0000000007CCE000-memory.dmp

memory/1476-45-0x0000000007CD0000-0x0000000007CE5000-memory.dmp

memory/1476-46-0x0000000007D20000-0x0000000007D3A000-memory.dmp

memory/1476-47-0x0000000007D40000-0x0000000007D48000-memory.dmp

memory/1476-50-0x0000000074810000-0x0000000074FC1000-memory.dmp

memory/3876-52-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/3876-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4904-55-0x0000000002A40000-0x0000000002E3D000-memory.dmp

memory/2748-64-0x0000000006200000-0x0000000006557000-memory.dmp

memory/2748-65-0x00000000066A0000-0x00000000066EC000-memory.dmp

memory/2748-66-0x0000000070B90000-0x0000000070BDC000-memory.dmp

memory/2748-67-0x0000000070D10000-0x0000000071067000-memory.dmp

memory/2748-76-0x0000000007890000-0x0000000007934000-memory.dmp

memory/2748-77-0x0000000007BD0000-0x0000000007BE1000-memory.dmp

memory/2748-78-0x0000000007C20000-0x0000000007C35000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b12ada241e252b2d9c6ce9dbcfde7c0f
SHA1 004570f7ba41edbf3f964543a4771bc5874a41eb
SHA256 12b6f1821f4007e423e24a9d474a6521652d340a3491cd02ae35013d42d6bc19
SHA512 2d3ec9c1b02e629506b263123fd6a1f1b952e6032e7ce0baf6750c0cd074c4bd796d26878e2f678f3e338246cc0a36f4755156b34c5a1088e54f61680865948f

memory/1548-91-0x0000000070B90000-0x0000000070BDC000-memory.dmp

memory/1548-92-0x0000000070D10000-0x0000000071067000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 15078bebec90eaa3680c4b602847a052
SHA1 f50c839b3d823120e4d419ebd641035614d2622e
SHA256 b201aca7c95f21fb1dc16a46fc54131255486be404374219f04b4ffd0aa22f9b
SHA512 286ffe89c6cdb41b12f3a2845bed3e040dff35302243f6782ccb13318af18ce3db561aa9b4f312f0e719197731c204414963c1bf7b388775be19e50c3f88e0a9

memory/3160-111-0x0000000070B90000-0x0000000070BDC000-memory.dmp

memory/3160-112-0x0000000070D10000-0x0000000071067000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6cc4240ac77edb96d20157cbae0b8c9a
SHA1 ea1d34d70f7ba791e4397fdb13b8edb84c98711e
SHA256 c0391bcfdc26d1587e6a3ef1750e80f38be70e82c751570987056e49e83f8e30
SHA512 97dd1f375d611b98991abf51feb334254f8a6c91baaabf9cd551c9afbd851a8f87a05e5185d402b36a32ecca5f682ec347281e704b61afbefa49216138762bf6

memory/4204-135-0x0000000005C40000-0x0000000005F97000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 68eafb18d334bb3cf3c69f9bf48e954b
SHA1 a33dcdd8cbdc45e7be0ec4c92803e38f8c5fadec
SHA256 ffef23ef306fa29b88f83dad320ea782a3962d85796e3cb5855393d25887c571
SHA512 55a37fb2e8e1abbebdaaed0968763ca64216f02baf7950c1cefd5dad04a42689a14f7f43b1b57ac424bfdb106eac970a8c69f2a651049ef2e362af678b8a0913

memory/4204-137-0x0000000006240000-0x000000000628C000-memory.dmp

memory/4204-138-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/4204-139-0x0000000070D40000-0x0000000071097000-memory.dmp

memory/4204-148-0x0000000007450000-0x00000000074F4000-memory.dmp

memory/4204-149-0x00000000077A0000-0x00000000077B1000-memory.dmp

memory/4904-150-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4204-151-0x0000000005FD0000-0x0000000005FE5000-memory.dmp

memory/2116-161-0x00000000060E0000-0x0000000006437000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ddb92bdaf06ad6a12f4e590a09286041
SHA1 75670c5ccd2d4c223e4a063584ecf95d538816dc
SHA256 68d00f585391f8765a6d26b4592d7f19634fcc6c8ac5c5e734a571362e23e0a7
SHA512 f75b2d6a70c73978df3be2c272225b744fb167aa80bc315629d5d53076072525c90c80d51c168f27045719dcf899bb316e2aa542b1ba9b6780cebf2c939c9732

memory/2116-163-0x0000000006970000-0x00000000069BC000-memory.dmp

memory/2116-164-0x0000000070A10000-0x0000000070A5C000-memory.dmp

memory/2116-165-0x0000000070C60000-0x0000000070FB7000-memory.dmp

memory/2116-174-0x0000000007870000-0x0000000007914000-memory.dmp

memory/2116-175-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

memory/2116-176-0x0000000006020000-0x0000000006035000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 06e0cf2f9e74f517954c3bae7c9f986d
SHA1 c7245fb817d59d72289fa09f4b571f80dabc7b2e
SHA256 107e6934d7914301c2aedf0f2739a092de4616c65146aedf9f59e516e436b5a8
SHA512 17dc4fb023a46a551ce4a6d2332ee2002d7d1b8e1d6d18310c36766f1e94ffa077a87153d9fd8578a23dfcef5b1023be1a2f17478e95d0ed61fb1cc95f19f455

memory/1592-187-0x0000000070A10000-0x0000000070A5C000-memory.dmp

memory/1592-188-0x0000000070C60000-0x0000000070FB7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4660-203-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4904-208-0x0000000002A40000-0x0000000002E3D000-memory.dmp

memory/1016-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2568-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1016-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4660-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2568-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4660-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2568-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4660-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-247-0x0000000000400000-0x0000000000D1C000-memory.dmp