Analysis Overview
SHA256
3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97
Threat Level: Known bad
The file 3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97 was found to be: Known bad.
Malicious Activity Summary
Glupteba
Glupteba payload
Modifies Windows Firewall
UPX packed file
Launches sc.exe
Command and Scripting Interpreter: PowerShell
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 19:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 19:23
Reported
2024-05-09 19:26
Platform
win10v2004-20240426-en
Max time kernel
7s
Max time network
131s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
"C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
"C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.131.50.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| BE | 2.17.196.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| BE | 2.17.196.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3e94ad17-6368-4019-81e3-8d4d6f9b5b4f.uuid.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stun.stunprotocol.org | udp |
| US | 8.8.8.8:53 | server1.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.96:443 | server1.thestatsfiles.ru | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| BG | 185.82.216.96:443 | server1.thestatsfiles.ru | tcp |
| US | 8.8.8.8:53 | 44.27.3.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| BG | 185.82.216.96:443 | server1.thestatsfiles.ru | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/3360-1-0x00000000031F0000-0x00000000035F0000-memory.dmp
memory/3360-2-0x0000000004F90000-0x000000000587B000-memory.dmp
memory/3360-3-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/736-4-0x000000007484E000-0x000000007484F000-memory.dmp
memory/736-5-0x00000000048B0000-0x00000000048E6000-memory.dmp
memory/736-7-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/736-6-0x0000000005060000-0x0000000005688000-memory.dmp
memory/736-8-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/736-9-0x0000000004EF0000-0x0000000004F12000-memory.dmp
memory/736-10-0x0000000005690000-0x00000000056F6000-memory.dmp
memory/736-11-0x0000000005870000-0x00000000058D6000-memory.dmp
memory/736-21-0x00000000058E0000-0x0000000005C34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2n3bvcdo.ksp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/736-22-0x0000000005EB0000-0x0000000005ECE000-memory.dmp
memory/736-23-0x0000000005ED0000-0x0000000005F1C000-memory.dmp
memory/736-24-0x0000000006E70000-0x0000000006EB4000-memory.dmp
memory/736-25-0x00000000071D0000-0x0000000007246000-memory.dmp
memory/736-27-0x0000000007250000-0x000000000726A000-memory.dmp
memory/736-26-0x00000000078D0000-0x0000000007F4A000-memory.dmp
memory/736-41-0x0000000007450000-0x000000000746E000-memory.dmp
memory/736-44-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/736-43-0x0000000007560000-0x000000000756A000-memory.dmp
memory/736-42-0x0000000007470000-0x0000000007513000-memory.dmp
memory/736-31-0x0000000070E60000-0x00000000711B4000-memory.dmp
memory/736-45-0x0000000007620000-0x00000000076B6000-memory.dmp
memory/736-30-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/736-46-0x0000000007580000-0x0000000007591000-memory.dmp
memory/736-29-0x00000000706E0000-0x000000007072C000-memory.dmp
memory/736-28-0x0000000007410000-0x0000000007442000-memory.dmp
memory/736-47-0x00000000075C0000-0x00000000075CE000-memory.dmp
memory/736-50-0x0000000007600000-0x0000000007608000-memory.dmp
memory/736-49-0x00000000076C0000-0x00000000076DA000-memory.dmp
memory/736-48-0x00000000075D0000-0x00000000075E4000-memory.dmp
memory/736-53-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/3360-55-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/2672-65-0x0000000005D10000-0x0000000006064000-memory.dmp
memory/3360-67-0x0000000004F90000-0x000000000587B000-memory.dmp
memory/3360-66-0x00000000031F0000-0x00000000035F0000-memory.dmp
memory/2672-69-0x0000000070B00000-0x0000000070E54000-memory.dmp
memory/2672-79-0x00000000075B0000-0x0000000007653000-memory.dmp
memory/2672-68-0x00000000706E0000-0x000000007072C000-memory.dmp
memory/2672-80-0x00000000078C0000-0x00000000078D1000-memory.dmp
memory/2672-81-0x0000000007910000-0x0000000007924000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f2e049d8b24256882c91ecf9ba88f506 |
| SHA1 | 9aee5be207934dfad4f9ea4426016474d4aa9c25 |
| SHA256 | 8b09dd4268a1769bb450b1d4624e534cdaf1bdca5215eedadd5fefc0db179fef |
| SHA512 | ac84b9c24e8a2a87bee87fca6dd49d4e89a69ca420212db4d4a16c7a4950f6246a39ba6d973c237e67e791ac28cb34e5b7e4df8b5e8a39fcf3fc983ec0de95a0 |
memory/808-94-0x0000000005FB0000-0x0000000006304000-memory.dmp
memory/808-97-0x0000000070860000-0x0000000070BB4000-memory.dmp
memory/808-96-0x00000000706E0000-0x000000007072C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b959f6e05f73f7d76242faf62f028be8 |
| SHA1 | 028261e7be1c09bbfe4fb0bdc1fdfb6dbaf6573e |
| SHA256 | 84a219dbfca939fa2a2aa92dadbb85da378297e47e9646427ffc94adb0269133 |
| SHA512 | bfcf23d5cf376e8aaa32ff3f6c7d845b9b23dbae32b046fd5c6d0f69cee85eaa10676a670904a6f6c021dc23ba991692f698681e30f64d6ea506915f1564880f |
memory/2204-117-0x0000000005E90000-0x00000000061E4000-memory.dmp
memory/2204-120-0x0000000071110000-0x0000000071464000-memory.dmp
memory/2204-119-0x00000000706E0000-0x000000007072C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | ca47016e7d5480bc3619c70abb333de2 |
| SHA1 | c98ff7b99d19bf951b93e243f4f92a8136b99e31 |
| SHA256 | 3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97 |
| SHA512 | c18986c42396bfb1b7ea64f7eb5f04d6f50cb737a9f4e6dba435d5023bce17d55402dd82517cff3d7abc5a64ef859d8734fd8765fdd580084a240aba72c4baf8 |
memory/3360-138-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4708-137-0x0000000000400000-0x0000000002EDD000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 56f3b4e6f393975793ed5913550d31af |
| SHA1 | d84aa547d78d84ea2cc149294af1bb5599456b12 |
| SHA256 | 1393150e44cb07ce2b8250b6181fe7e96ac241ff10d5b0289472b912ceb65ec5 |
| SHA512 | 2b9ea8c7ecb85cb7f54bd4cd6e7d9301ed2d00ffddd07c1aeb542b8ec27b4011b8db9ca14bd3b9481e2dbd209e4b792c4f7573219818acc7ddbeeb8e6555211e |
memory/3904-150-0x0000000070860000-0x0000000070BB4000-memory.dmp
memory/3904-149-0x00000000706E0000-0x000000007072C000-memory.dmp
memory/992-161-0x0000000005F00000-0x0000000006254000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e2b7a2b19af13e9bf1c072b4d050b797 |
| SHA1 | d64c540bab60399fdb3103044acc1cf40651c056 |
| SHA256 | 32198ff10f466498d65d4d7b0187fb241bf1dec8cf06341b277d25aa92902cb4 |
| SHA512 | 62c9e2c71df74ab22fa94e8d88f015de79a9676cb80587c4531bf187a33eaca0de001f0d93a8f3b674aac0543db9b0d94f8fb6760c38c693ad51672ffe757087 |
memory/992-172-0x0000000006980000-0x00000000069CC000-memory.dmp
memory/992-184-0x0000000007860000-0x0000000007903000-memory.dmp
memory/992-174-0x0000000070D90000-0x00000000710E4000-memory.dmp
memory/992-173-0x0000000070600000-0x000000007064C000-memory.dmp
memory/992-185-0x0000000007B80000-0x0000000007B91000-memory.dmp
memory/992-186-0x00000000063F0000-0x0000000006404000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2da91a285956a6d07dafa21799e836b1 |
| SHA1 | 1bafb27aaa095b964d65028b83eab0b8d3c43d11 |
| SHA256 | 7ffbb7ef1404470390548787e01f3304883432f297ee827a40c3c6ae06b1cab7 |
| SHA512 | 30982b04cdc6bb603cbf506cdb2fab4b38131b8ed8e2a3644ec2ac2144d43d14dda64bd7ad06fe9867caaa4aa0d0aa3428e3f7f0da351419f30fc6fc511635e8 |
memory/5000-197-0x00000000056F0000-0x0000000005A44000-memory.dmp
memory/5000-200-0x0000000070790000-0x0000000070AE4000-memory.dmp
memory/5000-199-0x0000000070600000-0x000000007064C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/4884-218-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/1356-226-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Windows\windefender.exe
| MD5 | eac3c94e166a4ac3e7d3dbf26d505ebb |
| SHA1 | c231e723ad6077f9b6bd12c5e7bd3fd208f7fa45 |
| SHA256 | 662eb9030b85d481e53772eb13a1b747a62bc68a862e0e4ba90f4e6acb3fe124 |
| SHA512 | b5b0f2d3205ebf43593ae73318cc078b5eafed92be6c8d113cf0e7dbef9f84da759301393b9528ac7f11b2f82dd8a190ad5c2b9066c84afbc1c9fb775fcff1a0 |
memory/4884-225-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/1356-230-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4076-229-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/4076-234-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4884-233-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/4884-237-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/4076-242-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4884-241-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/4884-245-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/4884-249-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/4884-253-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/4884-257-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/4884-261-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/4884-265-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/4884-269-0x0000000000400000-0x0000000002EDD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 19:23
Reported
2024-05-09 19:26
Platform
win11-20240426-en
Max time kernel
13s
Max time network
134s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
"C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
"C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2f9be5f6-98a3-4c40-b801-ea2fbb467a84.uuid.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | server14.thestatsfiles.ru | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.96:443 | server14.thestatsfiles.ru | tcp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| BG | 185.82.216.96:443 | server14.thestatsfiles.ru | tcp |
Files
memory/2676-1-0x0000000003390000-0x000000000378A000-memory.dmp
memory/2676-2-0x0000000005030000-0x000000000591B000-memory.dmp
memory/2676-3-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4476-4-0x000000007498E000-0x000000007498F000-memory.dmp
memory/4476-5-0x0000000002A40000-0x0000000002A76000-memory.dmp
memory/4476-7-0x0000000074980000-0x0000000075131000-memory.dmp
memory/4476-8-0x0000000074980000-0x0000000075131000-memory.dmp
memory/4476-9-0x0000000005380000-0x00000000053A2000-memory.dmp
memory/4476-11-0x0000000005C90000-0x0000000005CF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xyyiluwv.ss5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4476-20-0x0000000005DD0000-0x0000000006127000-memory.dmp
memory/4476-10-0x0000000005C20000-0x0000000005C86000-memory.dmp
memory/4476-6-0x0000000005440000-0x0000000005A6A000-memory.dmp
memory/4476-22-0x0000000006250000-0x000000000629C000-memory.dmp
memory/4476-21-0x0000000006200000-0x000000000621E000-memory.dmp
memory/4476-23-0x0000000006610000-0x0000000006656000-memory.dmp
memory/4476-36-0x0000000007690000-0x0000000007734000-memory.dmp
memory/4476-35-0x0000000007670000-0x000000000768E000-memory.dmp
memory/4476-38-0x00000000077B0000-0x00000000077CA000-memory.dmp
memory/4476-39-0x00000000077F0000-0x00000000077FA000-memory.dmp
memory/4476-37-0x0000000007DF0000-0x000000000846A000-memory.dmp
memory/4476-40-0x0000000007900000-0x0000000007996000-memory.dmp
memory/4476-41-0x0000000007810000-0x0000000007821000-memory.dmp
memory/4476-26-0x0000000070D70000-0x00000000710C7000-memory.dmp
memory/4476-25-0x0000000070BF0000-0x0000000070C3C000-memory.dmp
memory/4476-24-0x0000000007610000-0x0000000007644000-memory.dmp
memory/4476-42-0x0000000007860000-0x000000000786E000-memory.dmp
memory/4476-43-0x0000000007870000-0x0000000007885000-memory.dmp
memory/4476-44-0x00000000078C0000-0x00000000078DA000-memory.dmp
memory/4476-45-0x00000000078B0000-0x00000000078B8000-memory.dmp
memory/4476-48-0x0000000074980000-0x0000000075131000-memory.dmp
memory/480-51-0x0000000005490000-0x00000000057E7000-memory.dmp
memory/2676-50-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/480-61-0x0000000070E20000-0x0000000071177000-memory.dmp
memory/480-70-0x0000000006C10000-0x0000000006CB4000-memory.dmp
memory/480-60-0x0000000070BF0000-0x0000000070C3C000-memory.dmp
memory/480-71-0x0000000006F60000-0x0000000006F71000-memory.dmp
memory/480-72-0x0000000006FB0000-0x0000000006FC5000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | ac4917a885cf6050b1a483e4bc4d2ea5 |
| SHA1 | b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f |
| SHA256 | e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9 |
| SHA512 | 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2e1bc34902797d74a92532966abe9d74 |
| SHA1 | 9a0236a812931879d5a7420d78dca9c101e5bd10 |
| SHA256 | 262883ad84efc388994b81539900312c589ee02c7f66b7abf7371134dd19cea7 |
| SHA512 | 988613a84b98f4ecf10f768b0a70ef5f7a997cbd80cd10516c07a640b4fe13f60d25d7131553b3f6aed046aa2d8f045228ffd69869495a83dc7fc4ef21b74d0f |
memory/4652-84-0x0000000005B10000-0x0000000005E67000-memory.dmp
memory/2676-86-0x0000000003390000-0x000000000378A000-memory.dmp
memory/4652-88-0x0000000071530000-0x0000000071887000-memory.dmp
memory/4652-87-0x0000000070BF0000-0x0000000070C3C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 24469b713785c95ba9fd21732935a75e |
| SHA1 | f86fa89eae367076d5c63d72f63d352c2134495e |
| SHA256 | 11c84578538cafd5319ca59d7f173d3ef782456d488fcc312be86e87ef4dd6c2 |
| SHA512 | e2000f9abcb86b97d7afcb37fcc961582c0cdcd09379ce733156f6b5dc68c9d4aeca8611c0d1e50f19c3cc1ea2efb8b0a673b38a6c5212d3e1597985ef155d6a |
memory/3824-108-0x0000000070D70000-0x00000000710C7000-memory.dmp
memory/3824-107-0x0000000070BF0000-0x0000000070C3C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 4fcf8c444b68867339a375bbcc8f0af9 |
| SHA1 | 5ae2f5ed2426b68e3813f304c793babc28d3681c |
| SHA256 | 91ab2ba4122537bffec96c6ab46d43cb7c461885dd6b6aa24e319b05ef64e610 |
| SHA512 | e54f81e04f64b24b6dffaede53b6ab0fd0f4140141ad775dd077457e128e6a66572d700d5e580b46f4bdf553563f6678c7df411a0fadc4753666861ccb12b6c3 |
memory/2592-121-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/2676-124-0x0000000005030000-0x000000000591B000-memory.dmp
memory/2676-126-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a3be135b4edbbe33db75b22b3e64db74 |
| SHA1 | fb1a4aae3844cd5a0f7f1c37326eea338287ed61 |
| SHA256 | b64602c523ae5b7efd4158e64ff58f3b807cc0ca12b5f61b4d33ee335988362b |
| SHA512 | b8bee7982197c175d8a191295ca7a306d7183438892d4519951ef8e6233671ddd23635374c3c7c71fc6672d12e3c384c7d7fc988fc1e3628673db84e8adae01e |
memory/4256-137-0x0000000070D70000-0x00000000710C7000-memory.dmp
memory/4256-136-0x0000000070BF0000-0x0000000070C3C000-memory.dmp
memory/1956-155-0x0000000005BD0000-0x0000000005F27000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a8d229e5eb4497c5e1252b6e6971cb1b |
| SHA1 | ba5b65ca491c194dc63712e8c71eb19e15205067 |
| SHA256 | 1f78dc406c714719e1e77e745dd342b34b5049ed84cf9b2386a8c552619aef53 |
| SHA512 | a552a0296da3e9890933dcf0c50fc2e57229a32e59218a2dc3898c1c2ed9b200d58924f94940572796450ab2f701c882a634fbd2c61f4a6e84ba30afea1bad5c |
memory/1956-157-0x0000000006070000-0x00000000060BC000-memory.dmp
memory/1956-158-0x0000000070B10000-0x0000000070B5C000-memory.dmp
memory/1956-168-0x0000000007280000-0x0000000007324000-memory.dmp
memory/1956-159-0x0000000070C90000-0x0000000070FE7000-memory.dmp
memory/1956-169-0x00000000075A0000-0x00000000075B1000-memory.dmp
memory/1956-170-0x00000000059B0000-0x00000000059C5000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c98983ccc6fc947cff97d5fad22d1393 |
| SHA1 | 9276a8de551abc4c3c3cd3aa7ac5fab948dc7631 |
| SHA256 | 6b369b7e02d12bc0f513b1ce1024e0c3f095aef2e4040c85ddd2b2a72f5ebe3d |
| SHA512 | 2a1552100d5c15eabc55f7e5c4a9ff98097d1c4e1becad2efd82e69d3ac9555fbdca211588bb0fbe94f39bcb6eb5904af11f01cf48f22d49ee93db5993092bbf |
memory/5044-182-0x0000000070C90000-0x0000000070FE7000-memory.dmp
memory/5044-181-0x0000000070B10000-0x0000000070B5C000-memory.dmp
memory/1868-192-0x0000000000400000-0x0000000002EDD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/4340-203-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/4340-207-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/3216-206-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 48bb2b8b0b3d518ce9c666a3a9d5c412 |
| SHA1 | abaf622dba4f42473a663208fe6b961895d6de63 |
| SHA256 | 3fa30f23230ba70708815b9edee678e96522739221ac214833d0477828307749 |
| SHA512 | 84610f3fcb35484868537b76a27302eea7b3d110e50ede723654eda37ab427cb17a2f371787ad9fe05137659ecd8ba1240a0267b7ac0396b73c04705aeb83a7f |
memory/1868-208-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/3216-211-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1868-210-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/1868-213-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/3216-217-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1868-216-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/1868-220-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/1868-222-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/1868-225-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/1868-228-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/1868-232-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/1868-234-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/1868-237-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/1868-240-0x0000000000400000-0x0000000002EDD000-memory.dmp