Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-x132lsdf95
Target a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25
SHA256 a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25

Threat Level: Known bad

The file a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:20

Reported

2024-05-09 19:22

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\system32\cmd.exe
PID 2332 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\system32\cmd.exe
PID 1368 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1368 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2332 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\rss\csrss.exe
PID 2332 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\rss\csrss.exe
PID 2332 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\rss\csrss.exe
PID 4492 wrote to memory of 4300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 4300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 4300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 4072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 4072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 4072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 1888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 1888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 1888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 1480 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4492 wrote to memory of 1480 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2308 wrote to memory of 4452 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 4452 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 4452 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4452 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4452 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe

"C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe

"C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.74:443 www.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.74:443 www.bing.com tcp
US 8.8.8.8:53 74.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 e66c2096-4dea-48ec-b489-6972cb5b2515.uuid.createupdate.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server10.createupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.104:443 server10.createupdate.org tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.104:443 server10.createupdate.org tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
BG 185.82.216.104:443 server10.createupdate.org tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/1500-1-0x0000000003360000-0x0000000003759000-memory.dmp

memory/1500-2-0x0000000005000000-0x00000000058EB000-memory.dmp

memory/1500-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4500-4-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

memory/4500-5-0x0000000002740000-0x0000000002776000-memory.dmp

memory/4500-7-0x0000000004F20000-0x0000000005548000-memory.dmp

memory/4500-8-0x0000000074EF0000-0x00000000756A0000-memory.dmp

memory/1500-6-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4500-9-0x0000000004D60000-0x0000000004D82000-memory.dmp

memory/4500-10-0x0000000005550000-0x00000000055B6000-memory.dmp

memory/4500-11-0x00000000055C0000-0x0000000005626000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m3azys2m.4ub.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4500-17-0x00000000056B0000-0x0000000005A04000-memory.dmp

memory/4500-22-0x0000000005D20000-0x0000000005D3E000-memory.dmp

memory/4500-23-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

memory/4500-24-0x0000000006E80000-0x0000000006EC4000-memory.dmp

memory/4500-25-0x0000000007030000-0x00000000070A6000-memory.dmp

memory/4500-26-0x0000000007730000-0x0000000007DAA000-memory.dmp

memory/4500-27-0x00000000070D0000-0x00000000070EA000-memory.dmp

memory/4500-28-0x0000000007280000-0x00000000072B2000-memory.dmp

memory/4500-29-0x0000000070D90000-0x0000000070DDC000-memory.dmp

memory/4500-30-0x0000000071490000-0x00000000717E4000-memory.dmp

memory/4500-40-0x0000000074EF0000-0x00000000756A0000-memory.dmp

memory/4500-41-0x00000000072C0000-0x00000000072DE000-memory.dmp

memory/4500-42-0x00000000072E0000-0x0000000007383000-memory.dmp

memory/4500-43-0x0000000074EF0000-0x00000000756A0000-memory.dmp

memory/4500-44-0x00000000073D0000-0x00000000073DA000-memory.dmp

memory/4500-45-0x00000000074A0000-0x0000000007536000-memory.dmp

memory/4500-46-0x0000000007400000-0x0000000007411000-memory.dmp

memory/4500-47-0x0000000007440000-0x000000000744E000-memory.dmp

memory/4500-48-0x0000000007450000-0x0000000007464000-memory.dmp

memory/4500-49-0x0000000007540000-0x000000000755A000-memory.dmp

memory/4500-50-0x0000000007480000-0x0000000007488000-memory.dmp

memory/4500-53-0x0000000074EF0000-0x00000000756A0000-memory.dmp

memory/1500-56-0x0000000003360000-0x0000000003759000-memory.dmp

memory/1500-57-0x0000000005000000-0x00000000058EB000-memory.dmp

memory/1500-55-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/716-67-0x0000000006410000-0x0000000006764000-memory.dmp

memory/716-68-0x0000000070D90000-0x0000000070DDC000-memory.dmp

memory/716-69-0x0000000070F10000-0x0000000071264000-memory.dmp

memory/716-79-0x0000000007B50000-0x0000000007BF3000-memory.dmp

memory/716-80-0x0000000007E70000-0x0000000007E81000-memory.dmp

memory/1500-82-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2332-81-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/716-83-0x0000000007EE0000-0x0000000007EF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4380-87-0x0000000005C70000-0x0000000005FC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 246bb92469c26e7ace7b1afe900d18eb
SHA1 c66299721f82bef1dc647de5d4d040c6063647c9
SHA256 799c96861e0277e9ff3f324b36c010e64c552c16954cad28d9fc54eeab048d81
SHA512 6b6e20b3c562dcedf874492b49c20664d18b47e7bf95e1a2d3a57aac886ce63b048140313630e5944355f50a5caa9770a0f39e2915e7b932763d9612d5ab373d

memory/4380-98-0x0000000070D90000-0x0000000070DDC000-memory.dmp

memory/4380-99-0x0000000071510000-0x0000000071864000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9ac482f9e8cc92eb4c9faa0bb94e4aa8
SHA1 5ca627c3cb2baabb470814ee358187a2769bb820
SHA256 c7ac042d126393b3535bd2c29f80bb469b0ab5c25fbe905cc29cfec52bcb5918
SHA512 357d9775ed01ca7347caed06ebc218641a291339d0c15820cde392e5016de11abf55e2db40e96441c61e805788173bded2f05c22b4fc744a951cea0eb43970f8

memory/4268-121-0x0000000070D90000-0x0000000070DDC000-memory.dmp

memory/4268-122-0x0000000070F10000-0x0000000071264000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 bf149c257d5476b462697565ccd2b916
SHA1 59d9698919c39b07afbacc3bc4f1fb6bc8d1c1c8
SHA256 a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25
SHA512 ff3c413b8d9709020a09eb65b5c6844e7d5b59667a518a215bfa4fee7f9716003db9d86ea55017be1bbd9929b48acba4656c860a413e33b88e8effbe3f012436

memory/2332-136-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b1db53504e78661a8c6de97429eebd3e
SHA1 fc6c4ae4d0e24051ce771f5cb996a74a64a03aaa
SHA256 e7812377a3165b48568f3fc3f4d3b8ffdd0fb1dfe0fe8f732496262b5b888247
SHA512 f5e7b0b83c9ee16bbd76a605b0c545974ee8692640e150e6c36b43525fbdc800cf7596eba15f6a007ac573a8f1cbb30181448b8956b3b09f2c0b494b1e7335d4

memory/4300-150-0x0000000070D90000-0x0000000070DDC000-memory.dmp

memory/4300-151-0x0000000070F10000-0x0000000071264000-memory.dmp

memory/4492-161-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4072-169-0x00000000062D0000-0x0000000006624000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 469df782ebeed217da1fe78fb58b2637
SHA1 7ff47c4197464e7c34fb19b61a7d92c255b6b37d
SHA256 03b6705acbbe59bdc01e55d3200ce71f569ad893e855c880cddfcc169fce26f8
SHA512 4ce053d37f270dcced4a049feb506c60c683b33f0aa3267092e5b2e965a8cad4ee77c9f5101655b405df0507e58d0d1b7f0800cc00e875cb7b1c0866f61ed019

memory/4072-174-0x0000000006980000-0x00000000069CC000-memory.dmp

memory/4072-175-0x0000000070CB0000-0x0000000070CFC000-memory.dmp

memory/4072-176-0x0000000071440000-0x0000000071794000-memory.dmp

memory/4072-186-0x0000000007B90000-0x0000000007C33000-memory.dmp

memory/4072-188-0x0000000006730000-0x0000000006741000-memory.dmp

memory/4072-189-0x0000000006770000-0x0000000006784000-memory.dmp

memory/1888-200-0x0000000005970000-0x0000000005CC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a92aac93fcba1d112c33841e268aa900
SHA1 fa062ab8362af243a403d87c8088d910cabcd208
SHA256 59b904c1e38e3595f7ea24f84fdf7e805d0a19962e9664ebcfa03bc52f87ad3f
SHA512 6afbc43a789a6a986d92f0db508f5eabc546af8dd9c5c99b153e6681df2167c542bc25577112e3735f0104bf6c404e4e12c5a5319b1d8161c8dee54191b8366b

memory/1888-202-0x0000000070CB0000-0x0000000070CFC000-memory.dmp

memory/1888-203-0x0000000070E40000-0x0000000071194000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4492-219-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2308-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2308-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4492-229-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1900-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4492-231-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4492-235-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1900-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4492-238-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4492-241-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4492-243-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1900-246-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4492-247-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4492-250-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4492-253-0x0000000000400000-0x0000000002EDD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:20

Reported

2024-05-09 19:22

Platform

win11-20240426-en

Max time kernel

149s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1132 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1132 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1132 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\system32\cmd.exe
PID 4588 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\system32\cmd.exe
PID 3596 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3596 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4588 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\rss\csrss.exe
PID 4588 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\rss\csrss.exe
PID 4588 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe C:\Windows\rss\csrss.exe
PID 2688 wrote to memory of 4720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 4720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 4720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 1652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 1652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 1652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 3432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 3432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 3432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 4272 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2688 wrote to memory of 4272 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4360 wrote to memory of 3636 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 3636 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 3636 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3636 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3636 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe

"C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe

"C:\Users\Admin\AppData\Local\Temp\a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ca98f819-1a90-4184-8013-4d5906b4777a.uuid.createupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server8.createupdate.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.104:443 server8.createupdate.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.104:443 server8.createupdate.org tcp
BG 185.82.216.104:443 server8.createupdate.org tcp

Files

memory/1132-1-0x0000000003320000-0x0000000003726000-memory.dmp

memory/1132-2-0x00000000050D0000-0x00000000059BB000-memory.dmp

memory/1132-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1316-4-0x000000007488E000-0x000000007488F000-memory.dmp

memory/1316-5-0x00000000029B0000-0x00000000029E6000-memory.dmp

memory/1316-7-0x00000000051A0000-0x00000000057CA000-memory.dmp

memory/1316-6-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1316-8-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1316-9-0x0000000004FD0000-0x0000000004FF2000-memory.dmp

memory/1316-11-0x0000000005940000-0x00000000059A6000-memory.dmp

memory/1316-10-0x0000000005070000-0x00000000050D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qdobob1l.ntv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1316-20-0x00000000059B0000-0x0000000005D07000-memory.dmp

memory/1316-21-0x0000000005E70000-0x0000000005E8E000-memory.dmp

memory/1316-22-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

memory/1316-23-0x00000000063C0000-0x0000000006406000-memory.dmp

memory/1316-24-0x0000000007270000-0x00000000072A4000-memory.dmp

memory/1316-25-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/1316-26-0x0000000070D40000-0x0000000071097000-memory.dmp

memory/1316-35-0x00000000072D0000-0x00000000072EE000-memory.dmp

memory/1316-36-0x00000000072F0000-0x0000000007394000-memory.dmp

memory/1316-37-0x0000000007A60000-0x00000000080DA000-memory.dmp

memory/1316-38-0x0000000007420000-0x000000000743A000-memory.dmp

memory/1316-39-0x0000000007460000-0x000000000746A000-memory.dmp

memory/1316-40-0x0000000007570000-0x0000000007606000-memory.dmp

memory/1316-41-0x0000000007480000-0x0000000007491000-memory.dmp

memory/1316-43-0x00000000074E0000-0x00000000074F5000-memory.dmp

memory/1316-42-0x00000000074D0000-0x00000000074DE000-memory.dmp

memory/1316-44-0x0000000007530000-0x000000000754A000-memory.dmp

memory/1316-45-0x0000000007550000-0x0000000007558000-memory.dmp

memory/1316-48-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1132-50-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/820-59-0x0000000005BC0000-0x0000000005F17000-memory.dmp

memory/820-70-0x00000000071F0000-0x0000000007294000-memory.dmp

memory/820-61-0x0000000070C70000-0x0000000070FC7000-memory.dmp

memory/820-60-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/820-71-0x0000000007520000-0x0000000007531000-memory.dmp

memory/820-72-0x0000000007570000-0x0000000007585000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6d5e5e7a3c08d8b804081ed483809b22
SHA1 197f252cd4b1ceaebf7cb89b182e1802cbd022bf
SHA256 0f7ab38764a57a768c79fe55f978ce4401843fb62ba2c0fbbc005c99c1bd82d8
SHA512 a284c2cea67056a1d0b797f72461076bc3dcf3b73c230f03704a0befee247c995cf1fbc321f8075878228260b76bee7766f6f9db23f2c85de2a2d4f7d17a35ec

memory/1776-84-0x0000000005FA0000-0x00000000062F7000-memory.dmp

memory/1776-86-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/1776-87-0x0000000070C90000-0x0000000070FE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5b100cfd25c0a6b72dd00eb2fd522c9e
SHA1 5ae023c56ae8e66fd1d94212f1555e6cfaa581ee
SHA256 7cec9e798a87f566a3ceb96647e298747b5db1fe065afaf1e8060eed2a35995a
SHA512 9d70191976708cc4f445010fa17061fe59e9f1b67cffd8754ff199073f992a2f3fa2de0d51422c9ef113e4e88791e2c065a5317bd9f97e0724dbebea889ac111

memory/2416-107-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/1132-114-0x00000000050D0000-0x00000000059BB000-memory.dmp

memory/2416-108-0x0000000070C70000-0x0000000070FC7000-memory.dmp

memory/1132-106-0x0000000003320000-0x0000000003726000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 bf149c257d5476b462697565ccd2b916
SHA1 59d9698919c39b07afbacc3bc4f1fb6bc8d1c1c8
SHA256 a7dc63be383fd84964d72508f8caba6f7a4132a8226b6a3dbe3c7c3d8cdc1e25
SHA512 ff3c413b8d9709020a09eb65b5c6844e7d5b59667a518a215bfa4fee7f9716003db9d86ea55017be1bbd9929b48acba4656c860a413e33b88e8effbe3f012436

memory/4588-125-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1132-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 44e5256637f2300b7422c3f55b941e1c
SHA1 ec0d6f9964dbdc3e364b42b2da465c41124cbce9
SHA256 c0539edce05e4d6fa989a267278b02e3e2c9c785e1ae1af22e40f4ac89821878
SHA512 8fb08391fc887ea5442784b473fa5778d72f5b013818e3731a843070dcc6f7261c6c287a65acd3d8c1b04caf97b4b041eebd1324750dfadb7432d4c78b531720

memory/4720-137-0x0000000070C70000-0x0000000070FC7000-memory.dmp

memory/4720-136-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/1652-155-0x0000000006340000-0x0000000006697000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dd4f1ef44a1702ef14ecc3f4faa2c364
SHA1 7c9cf98c501e028fe913cb22921b76cf6e542cd1
SHA256 84d9391f9ff6ba7e89d930c6407815aeb7fc63000c937fe9b2b58a1dc344aee5
SHA512 c65472ecf1699ab5d12a7e50b0c66a262e8c487b99d7a1a3b51744a33b40f8edaa26e9163d42c722ad0d2213446ff8d9e7bb27675a3a6a2e0ae9e11b62be9b77

memory/1652-157-0x00000000067E0000-0x000000000682C000-memory.dmp

memory/1652-159-0x0000000070B90000-0x0000000070EE7000-memory.dmp

memory/1652-168-0x0000000007A30000-0x0000000007AD4000-memory.dmp

memory/1652-158-0x0000000070A10000-0x0000000070A5C000-memory.dmp

memory/1652-169-0x0000000007C00000-0x0000000007C11000-memory.dmp

memory/1652-170-0x0000000006270000-0x0000000006285000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f5682bafaa9a067d3df58df88fde2ced
SHA1 bf7dee620aa9095ce97cc85001101d74b6791dde
SHA256 d43a095c9bb71453dc9ab774e0a9ec8b4b7e841e5afc0eb65042edcfe6c0c2b8
SHA512 83fd896f9848e027765d9af67abe7b4777579c248c08e7570611e2fd8d7b4856ef2c9de32892897bb2ec8bad8bc714fb29402d4d911d73aa81faa25649af4034

memory/3432-182-0x0000000070A10000-0x0000000070A5C000-memory.dmp

memory/3432-183-0x0000000070B90000-0x0000000070EE7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2688-199-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4360-204-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1036-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4360-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2688-207-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1036-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2688-214-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2688-218-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1036-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2688-222-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2688-225-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2688-229-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2688-233-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2688-238-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2688-242-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2688-245-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2688-249-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2688-253-0x0000000000400000-0x0000000002EDD000-memory.dmp