Malware Analysis Report

2025-01-02 06:27

Sample ID 240516-mdafnsgd44
Target c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef
SHA256 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef

Threat Level: Known bad

The file c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 10:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 10:20

Reported

2024-05-16 10:23

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2476 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\system32\cmd.exe
PID 4348 wrote to memory of 3924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4348 wrote to memory of 3924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3396 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\rss\csrss.exe
PID 3396 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\rss\csrss.exe
PID 3396 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\rss\csrss.exe
PID 2956 wrote to memory of 4960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 4960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 4960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 2136 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 2136 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 2136 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 3676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 3676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 3676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 4124 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2956 wrote to memory of 4124 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4108 wrote to memory of 3472 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 3472 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 3472 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3472 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3472 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe

"C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe

"C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 97f876e8-9218-48b8-9338-85fd7a3f1c44.uuid.dumperstats.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server9.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.111:443 server9.dumperstats.org tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server9.dumperstats.org tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BG 185.82.216.111:443 server9.dumperstats.org tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2476-1-0x0000000002970000-0x0000000002D71000-memory.dmp

memory/2476-2-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/2476-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4900-4-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

memory/4900-5-0x0000000002D40000-0x0000000002D76000-memory.dmp

memory/4900-7-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4900-6-0x0000000005630000-0x0000000005C58000-memory.dmp

memory/4900-8-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4900-9-0x0000000005450000-0x0000000005472000-memory.dmp

memory/4900-10-0x0000000005C60000-0x0000000005CC6000-memory.dmp

memory/4900-11-0x0000000005CD0000-0x0000000005D36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nxkufikj.gcz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4900-21-0x0000000005D40000-0x0000000006094000-memory.dmp

memory/4900-22-0x00000000062F0000-0x000000000630E000-memory.dmp

memory/4900-23-0x00000000063A0000-0x00000000063EC000-memory.dmp

memory/4900-24-0x0000000006840000-0x0000000006884000-memory.dmp

memory/4900-25-0x0000000007620000-0x0000000007696000-memory.dmp

memory/4900-27-0x00000000076C0000-0x00000000076DA000-memory.dmp

memory/4900-26-0x0000000007D20000-0x000000000839A000-memory.dmp

memory/4900-29-0x0000000070D70000-0x0000000070DBC000-memory.dmp

memory/4900-28-0x0000000007880000-0x00000000078B2000-memory.dmp

memory/4900-30-0x00000000714F0000-0x0000000071844000-memory.dmp

memory/4900-41-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4900-40-0x00000000078C0000-0x00000000078DE000-memory.dmp

memory/4900-42-0x00000000078E0000-0x0000000007983000-memory.dmp

memory/4900-43-0x00000000079D0000-0x00000000079DA000-memory.dmp

memory/4900-44-0x0000000007A90000-0x0000000007B26000-memory.dmp

memory/4900-45-0x00000000079F0000-0x0000000007A01000-memory.dmp

memory/4900-46-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4900-47-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4900-48-0x0000000007A30000-0x0000000007A3E000-memory.dmp

memory/4900-49-0x0000000007A40000-0x0000000007A54000-memory.dmp

memory/4900-50-0x0000000007B30000-0x0000000007B4A000-memory.dmp

memory/4900-51-0x0000000007A70000-0x0000000007A78000-memory.dmp

memory/4900-54-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/3396-56-0x0000000002960000-0x0000000002D64000-memory.dmp

memory/3396-57-0x0000000002D70000-0x000000000365B000-memory.dmp

memory/2000-67-0x0000000070D70000-0x0000000070DBC000-memory.dmp

memory/2000-68-0x00000000714F0000-0x0000000071844000-memory.dmp

memory/2000-78-0x0000000006F90000-0x0000000007033000-memory.dmp

memory/2000-79-0x0000000007490000-0x00000000074A1000-memory.dmp

memory/2000-80-0x00000000074E0000-0x00000000074F4000-memory.dmp

memory/2476-82-0x0000000002970000-0x0000000002D71000-memory.dmp

memory/2476-81-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9a36cbb850c0d2a8520df14278048e3c
SHA1 e98499c3a91cadcf54e04a66d3635696d7adf6ac
SHA256 1d6e9b2eb922de3e41679a6a9f806f3e7920070e56b1f764e659723ae8d99bd4
SHA512 ad13ebf1ae8690042ba467b82a742d390ddfc718a2f3d39d4b34edd84ba97045e54e78652ad64bef643a555e37d4563711e9467f34c61366618fc73eccf2c841

memory/4772-96-0x0000000070D70000-0x0000000070DBC000-memory.dmp

memory/4772-97-0x00000000714F0000-0x0000000071844000-memory.dmp

memory/2476-107-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/4308-118-0x0000000005A30000-0x0000000005D84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e399b04431901cc9f510eb4927fa8ddf
SHA1 20355a40acbee7c51679bdd3ed15c56ae96b6efc
SHA256 cf8a9caf94051989206511c72d5aa04f90bd59ff0a120506744928c666ac1cab
SHA512 20b1c34e1a576c76668da10d7a205f69ff987873ec6a5a36c305a2667035fe06de333226082882139d19e8eb8afc2efea0d7968af53b54cb03bed0619291afdc

memory/4308-120-0x0000000070D70000-0x0000000070DBC000-memory.dmp

memory/4308-121-0x0000000070EF0000-0x0000000071244000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ff517167739e9a3c22813702ea067be5
SHA1 db22cfd1119e1be0366774ea74b35e07644bffbc
SHA256 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef
SHA512 8b891d1c798643fa7b89e139af4ff97a3ee8b554a6f9b8a54a99ebe9d7638b1ee9465a4d760904b3a2e30aa38cb49b242e02bca7f5e8036c752296518b106ecd

memory/4960-146-0x0000000005630000-0x0000000005984000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7b6690e6689c5fe6c8482711b65ccb79
SHA1 4d9fc7e85e319a28751d24dfcbae51f6109a8310
SHA256 52dd0508f12ee541f3529cde1091935e450fd1a73f1c16929f7d1cb707767ac3
SHA512 0d95b04fd6532918bfc347bcfcb2024cd9303c2d133a0d3499fbdbc95a47e2dbf9d18f87fc0540ce7b2788fa703d59d4bd8d8a4d9ed398288bc3863b9343b6aa

memory/3396-148-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4960-149-0x0000000070D70000-0x0000000070DBC000-memory.dmp

memory/4960-150-0x0000000070F10000-0x0000000071264000-memory.dmp

memory/2136-167-0x0000000005870000-0x0000000005BC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b4574a0fb1754fe2b0fe91479dc4edd8
SHA1 579b4076a0f557be9b72942a28d7423a112455ee
SHA256 54cba8c7e415a083f9afeaf582c1d734dafa06c75b86b6a9a5b6ec773c78e7bb
SHA512 f9496b1038b66891fefe19cd2c79d2800b9fc8105b5ed3b3f6c3185615c9e511facb9774b2fbc5cdd8f647af143553e3a587dd9f9590e2b9c1632207f8a972c2

memory/2136-173-0x00000000062C0000-0x000000000630C000-memory.dmp

memory/2136-174-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/2136-175-0x0000000071440000-0x0000000071794000-memory.dmp

memory/2136-185-0x0000000007260000-0x0000000007303000-memory.dmp

memory/2136-186-0x00000000075D0000-0x00000000075E1000-memory.dmp

memory/2136-187-0x0000000005E70000-0x0000000005E84000-memory.dmp

memory/3676-194-0x00000000060B0000-0x0000000006404000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0fb661ff27a5244e4430ac5b43f3bb27
SHA1 d25fb5b2dbfa35966a86ce0f70242ad2e58f0f13
SHA256 ffd487e060108498448ec1d1b827eca7d9bfef74d1c8bb3b7598f1038b647746
SHA512 8b17b8593557e9464a37a5f5c358830af0370bf0e84317f793a956227bd178e10088acad022f9d6dce755808fdc43b643c7f6d6a181d7173c1563c1c496bc567

memory/3676-200-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/3676-201-0x0000000071A50000-0x0000000071DA4000-memory.dmp

memory/2956-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3396-220-0x0000000002960000-0x0000000002D64000-memory.dmp

memory/2956-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4108-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4580-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4108-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2956-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4580-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2956-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2956-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4580-244-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2956-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2956-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2956-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2956-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2956-262-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2956-266-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2956-270-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2956-274-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 10:20

Reported

2024-05-16 10:23

Platform

win11-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4512 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4512 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4512 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\system32\cmd.exe
PID 1012 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 1188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2308 wrote to memory of 1188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1012 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\rss\csrss.exe
PID 1012 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\rss\csrss.exe
PID 1012 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe C:\Windows\rss\csrss.exe
PID 1916 wrote to memory of 5008 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 5008 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 5008 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 5108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 5108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 5108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 1068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 1068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 1068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 416 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1916 wrote to memory of 416 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3804 wrote to memory of 2908 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 2908 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 2908 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2908 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2908 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe

"C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe

"C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 06470732-996b-4b42-b3e9-ad63aa2d799e.uuid.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server10.dumperstats.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.111:443 server10.dumperstats.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server10.dumperstats.org tcp
BG 185.82.216.111:443 server10.dumperstats.org tcp
BG 185.82.216.111:443 server10.dumperstats.org tcp

Files

memory/4512-1-0x0000000002A20000-0x0000000002E23000-memory.dmp

memory/4512-2-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/4512-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3596-4-0x00000000749AE000-0x00000000749AF000-memory.dmp

memory/3596-5-0x00000000025A0000-0x00000000025D6000-memory.dmp

memory/3596-7-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/3596-6-0x0000000004EA0000-0x00000000054CA000-memory.dmp

memory/3596-8-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/3596-9-0x0000000004AE0000-0x0000000004B02000-memory.dmp

memory/3596-10-0x0000000004E00000-0x0000000004E66000-memory.dmp

memory/3596-11-0x0000000005580000-0x00000000055E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fdh5elbc.f3f.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3596-20-0x00000000056A0000-0x00000000059F7000-memory.dmp

memory/3596-21-0x0000000005A70000-0x0000000005A8E000-memory.dmp

memory/3596-22-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

memory/3596-23-0x0000000005E80000-0x0000000005EC6000-memory.dmp

memory/3596-25-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/3596-27-0x0000000070D90000-0x00000000710E7000-memory.dmp

memory/3596-24-0x0000000006E90000-0x0000000006EC4000-memory.dmp

memory/3596-37-0x0000000006F10000-0x0000000006FB4000-memory.dmp

memory/3596-36-0x0000000006EF0000-0x0000000006F0E000-memory.dmp

memory/3596-26-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/3596-38-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/3596-40-0x0000000007030000-0x000000000704A000-memory.dmp

memory/3596-39-0x0000000007680000-0x0000000007CFA000-memory.dmp

memory/3596-41-0x0000000007070000-0x000000000707A000-memory.dmp

memory/3596-42-0x0000000007180000-0x0000000007216000-memory.dmp

memory/3596-43-0x0000000007090000-0x00000000070A1000-memory.dmp

memory/3596-44-0x00000000070E0000-0x00000000070EE000-memory.dmp

memory/3596-45-0x00000000070F0000-0x0000000007105000-memory.dmp

memory/3596-46-0x0000000007140000-0x000000000715A000-memory.dmp

memory/3596-47-0x0000000007220000-0x0000000007228000-memory.dmp

memory/3596-50-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/1012-52-0x0000000002A80000-0x0000000002E87000-memory.dmp

memory/1900-61-0x0000000005690000-0x00000000059E7000-memory.dmp

memory/1900-62-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/1900-63-0x0000000070E60000-0x00000000711B7000-memory.dmp

memory/1900-72-0x0000000006DA0000-0x0000000006E44000-memory.dmp

memory/1900-73-0x00000000070E0000-0x00000000070F1000-memory.dmp

memory/4512-74-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4512-76-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/4512-75-0x0000000002A20000-0x0000000002E23000-memory.dmp

memory/1900-77-0x0000000007130000-0x0000000007145000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 918551cfdb61af95bd59cb291e147f40
SHA1 abf0a4d12f32eefd4acc2d339ce7b6e9be239695
SHA256 de734370c9747675d0734b753374fac2cf74b8e66a197e9718e958462945b2eb
SHA512 159b1e75e87ad5109512c83b3ba565d74e21594765626085ac55a60bc9c435f54dfb8f9e67c91af0bb9b1054b150bdfbc1869635fb0dc983c2dec7d7e525ca48

memory/3164-90-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/3164-91-0x0000000070E60000-0x00000000711B7000-memory.dmp

memory/4952-109-0x0000000005BB0000-0x0000000005F07000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c75cc32b8686baac5beb024f7ade7aed
SHA1 2ebd3c3909d866d66cd30797d8aed39fa573d4d8
SHA256 5ffc2ee70d906546014bda64fb377bdbb11cfde4a88837384e561d1614878fcf
SHA512 b85ce257fff37a0d6605f975454fbf4769f2e7e92c15cec610658af9f5df31945827c195d6cdaca0ebb2ada3f820380b498a8d3f4c81362f8d38a740fb015d35

memory/4952-111-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/4952-112-0x0000000070DB0000-0x0000000071107000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ff517167739e9a3c22813702ea067be5
SHA1 db22cfd1119e1be0366774ea74b35e07644bffbc
SHA256 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef
SHA512 8b891d1c798643fa7b89e139af4ff97a3ee8b554a6f9b8a54a99ebe9d7638b1ee9465a4d760904b3a2e30aa38cb49b242e02bca7f5e8036c752296518b106ecd

memory/1012-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bd56635a9e3f19cf8a714a0b72d45ebf
SHA1 f29e5785687b397832ad5738110ad51e4a954e9f
SHA256 8a02cf892d0dd9c738d0f565b8d0ef9344eecaaac4324299249f0a153575b7a9
SHA512 fc7cb6c67ba50bc2b6f84263c8d2ae060264e5129db54ecd8c7d682f8fd7befc174e74d20b57ebc8ac8d2eff23bf619011897c1c27c080ce6e4f67e99ceeb6c2

memory/5008-138-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/5008-139-0x0000000070E60000-0x00000000711B7000-memory.dmp

memory/5108-149-0x0000000005CA0000-0x0000000005FF7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 24ada7b355bb39dbfff5854eacd745ef
SHA1 732e946c81368230762fc592e2d31abb12dca367
SHA256 a63ccf9d8657d3e2eccefb0bdc1f2ce8b19ec0cf6111c2964aede074546fbf35
SHA512 d2ba358bbf4e6be06a51afa01304796d0a729953c18f4893be699fd49448585af6acef0dc1bfe07de7dd6602bc6675eb15e30a008a268aeda95fa561e71f2389

memory/5108-159-0x00000000066B0000-0x00000000066FC000-memory.dmp

memory/5108-160-0x0000000070B30000-0x0000000070B7C000-memory.dmp

memory/5108-161-0x0000000070D80000-0x00000000710D7000-memory.dmp

memory/5108-170-0x0000000007480000-0x0000000007524000-memory.dmp

memory/5108-171-0x00000000077F0000-0x0000000007801000-memory.dmp

memory/5108-172-0x00000000055F0000-0x0000000005605000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9b7b39839e6ed5752965d2a375625dc1
SHA1 9d0cf622f1231e3bdd4e2b45cd203e7a4f3dbfbf
SHA256 f2f9718eb65fc9ebf3480a49c91b0d8d762a77d403a645b5578ccbed2f61374c
SHA512 2cea9482795954a9b97440d35707e1be2060c7831d37f700becd2dafee4302753f0a2e54d450616fd8a9a0a29105a930b47f24b8cd4fcfc68b37de905dc4cbcb

memory/1068-183-0x0000000070B30000-0x0000000070B7C000-memory.dmp

memory/1068-184-0x0000000070D80000-0x00000000710D7000-memory.dmp

memory/1916-194-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3804-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1304-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3804-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1916-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1916-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1304-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1916-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1916-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1304-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1916-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1916-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1916-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1916-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1916-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1916-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1916-239-0x0000000000400000-0x0000000000D1C000-memory.dmp