Malware Analysis Report

2025-01-02 06:39

Sample ID 240515-3h2zgsaa79
Target 49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4
SHA256 49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4

Threat Level: Known bad

The file 49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:31

Reported

2024-05-15 23:34

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3964 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\system32\cmd.exe
PID 1616 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\system32\cmd.exe
PID 788 wrote to memory of 3464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 788 wrote to memory of 3464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1616 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\rss\csrss.exe
PID 1616 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\rss\csrss.exe
PID 1616 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\rss\csrss.exe
PID 3064 wrote to memory of 3272 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 3272 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 3272 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 4620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 4620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 4620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 4308 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 4308 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 4308 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 3672 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3064 wrote to memory of 3672 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1968 wrote to memory of 4228 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 4228 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 4228 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4228 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4228 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe

"C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe

"C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 01bb46ab-899c-41c9-b8fe-52b2d3b3ed35.uuid.filesdumpplace.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server7.filesdumpplace.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.96:443 server7.filesdumpplace.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
BG 185.82.216.96:443 server7.filesdumpplace.org tcp

Files

memory/3964-1-0x0000000004730000-0x0000000004B38000-memory.dmp

memory/3964-2-0x0000000004B40000-0x000000000542B000-memory.dmp

memory/3964-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1500-4-0x0000000074E0E000-0x0000000074E0F000-memory.dmp

memory/1500-5-0x0000000002D10000-0x0000000002D46000-memory.dmp

memory/1500-6-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/1500-7-0x00000000055E0000-0x0000000005C08000-memory.dmp

memory/1500-8-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/1500-9-0x0000000005230000-0x0000000005252000-memory.dmp

memory/1500-10-0x00000000052D0000-0x0000000005336000-memory.dmp

memory/1500-11-0x0000000005570000-0x00000000055D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_goj34ifk.o4e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1500-21-0x0000000005D10000-0x0000000006064000-memory.dmp

memory/1500-22-0x0000000006300000-0x000000000631E000-memory.dmp

memory/1500-23-0x0000000006330000-0x000000000637C000-memory.dmp

memory/1500-24-0x0000000006800000-0x0000000006844000-memory.dmp

memory/1500-25-0x00000000075C0000-0x0000000007636000-memory.dmp

memory/1500-27-0x0000000007CC0000-0x000000000833A000-memory.dmp

memory/1500-28-0x0000000007640000-0x000000000765A000-memory.dmp

memory/3964-26-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1500-31-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/1500-30-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/1500-29-0x0000000007800000-0x0000000007832000-memory.dmp

memory/1500-42-0x0000000007840000-0x000000000785E000-memory.dmp

memory/1500-44-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/1500-43-0x0000000007860000-0x0000000007903000-memory.dmp

memory/1500-32-0x0000000071250000-0x00000000715A4000-memory.dmp

memory/1500-45-0x0000000007950000-0x000000000795A000-memory.dmp

memory/1500-46-0x0000000007A60000-0x0000000007AF6000-memory.dmp

memory/1500-47-0x0000000007960000-0x0000000007971000-memory.dmp

memory/1500-48-0x00000000079A0000-0x00000000079AE000-memory.dmp

memory/1500-49-0x0000000007A40000-0x0000000007A54000-memory.dmp

memory/1500-50-0x0000000007B30000-0x0000000007B4A000-memory.dmp

memory/1500-51-0x0000000007B20000-0x0000000007B28000-memory.dmp

memory/1500-54-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/3964-56-0x0000000004730000-0x0000000004B38000-memory.dmp

memory/3964-58-0x0000000004B40000-0x000000000542B000-memory.dmp

memory/3964-57-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3964-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1860-69-0x0000000005DD0000-0x0000000006124000-memory.dmp

memory/1860-71-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/1616-70-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1860-72-0x0000000070E20000-0x0000000071174000-memory.dmp

memory/1860-82-0x00000000073D0000-0x0000000007473000-memory.dmp

memory/1860-83-0x00000000076E0000-0x00000000076F1000-memory.dmp

memory/1860-84-0x0000000007730000-0x0000000007744000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 35b44e0ea494c973818eafe8af61a08b
SHA1 554ee7e0f6f06be0bfcc62dbeba2b80f56a395db
SHA256 3fa1ca6db4da2c428045b0675297c8362936c2e66b35a1bf66a607da9896f0b3
SHA512 85972eff74141ffff573975e2026294b2a1c901d08f2d2f61631f83de49d2313a8cfd17ee02ae07f357bb58b400a184462773127e53076b430566fae4a99b221

memory/4656-98-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/4656-99-0x0000000070E20000-0x0000000071174000-memory.dmp

memory/740-111-0x0000000005D80000-0x00000000060D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e4da66338e304984ac83abd74c871cc0
SHA1 35dff9757bc724f81afbb7520dedf6e3e6565731
SHA256 40ac114ecee20ae3cb234481e259b9e148bf79d644cea440fe80bc3925e8302b
SHA512 038a1eb9f5b4109169f8fe43cfe58c56c877414f2b102d4e4c340f587cfca0bd0d43206d00abd2299514c843362bb87fae99cebc0c453f4d2f63dd9ea0e899d1

memory/740-123-0x0000000071420000-0x0000000071774000-memory.dmp

memory/740-122-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0a9cfc2c2484a4c4faa964d90b7061f9
SHA1 0c2df07b92230a6ca9467a6ddbc9762e2093f669
SHA256 49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4
SHA512 abca7098fcb20d168836609f48a78b18303252fe5df6c68fe22fe017c020ae26810105b3ae0ce1d70092b0a2253a06cdc124b02bdbfab0f6799a2697052622c7

memory/1616-139-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f898df4cc55416194f6d959e869eccdf
SHA1 88e8554e3d538a3cd3d2502a03d188dec086d160
SHA256 be9269a459842eef49781144e32d312cc55f9ddfb37f392ba0b98cc8035b99e5
SHA512 1de8fa5b5f7b53b446925bcfe660624e8ef22e03c9f0e9961c2ccc5b915398aaff1416451f04b51c1cda3972dab32f2cf45789b92464db93bb51918968f3c605

memory/3272-151-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/3272-152-0x0000000070E20000-0x0000000071174000-memory.dmp

memory/3064-163-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4620-174-0x0000000005B10000-0x0000000005E64000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9ea35e98dabb7465a7fa67ebd5fbe1fc
SHA1 ddf824f11ebd433cd71d78fca970414085e29e39
SHA256 abb3222182a936352abfb446f7a9818ff54424a40b643d50bb9299a3b5b88b8d
SHA512 ab201ece950a6087f40a8c0c2428981ce615bd72450629c3aa775a05351d4991bd1ebcb128e9b9af6e1017b61269dbe815eb5ccfee44437020363d33bbf68ed7

memory/4620-176-0x0000000006360000-0x00000000063AC000-memory.dmp

memory/4620-177-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/4620-178-0x0000000070D40000-0x0000000071094000-memory.dmp

memory/4620-188-0x0000000007250000-0x00000000072F3000-memory.dmp

memory/4620-189-0x0000000007580000-0x0000000007591000-memory.dmp

memory/4620-190-0x0000000005AA0000-0x0000000005AB4000-memory.dmp

memory/4308-198-0x00000000061B0000-0x0000000006504000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 79cd2c0400ab7a78e3f13f30865ae0a0
SHA1 14402d9d22cfc3f95aca0d0852243f7f193e2485
SHA256 b5eb5882697ccf2ecb72db5c86b0bc181c511b5ee3091745bfedec8ffdd07b00
SHA512 3c67c1f1a81a2993bfd767d86cf74d447ceb2755dbdce899989aa4c6c7b340e6aed00c531990a670629c2c7800fde50b83aba76f90240369cb996b2d85bc38a5

memory/4308-203-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/4308-204-0x0000000070D60000-0x00000000710B4000-memory.dmp

memory/3064-216-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1968-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1968-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3064-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/372-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3064-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3064-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/372-242-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3064-244-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3064-248-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3064-250-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/372-255-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3064-254-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3064-260-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3064-264-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:31

Reported

2024-05-15 23:34

Platform

win11-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\system32\cmd.exe
PID 3456 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\system32\cmd.exe
PID 4068 wrote to memory of 3440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4068 wrote to memory of 3440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3456 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\rss\csrss.exe
PID 3456 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\rss\csrss.exe
PID 3456 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe C:\Windows\rss\csrss.exe
PID 3412 wrote to memory of 1300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 1300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 1300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 1940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 1940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 1940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 3880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 3880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 3880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 1988 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3412 wrote to memory of 1988 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1692 wrote to memory of 1636 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1636 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1636 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1636 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1636 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe

"C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe

"C:\Users\Admin\AppData\Local\Temp\49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22fb2af1-1ce4-4845-b48d-028ce2f8d5de.uuid.filesdumpplace.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server13.filesdumpplace.org udp
US 74.125.250.129:19302 stun3.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server13.filesdumpplace.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server13.filesdumpplace.org tcp

Files

memory/2892-1-0x0000000004AA0000-0x0000000004E9C000-memory.dmp

memory/2892-2-0x0000000004EA0000-0x000000000578B000-memory.dmp

memory/2892-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2796-4-0x000000007470E000-0x000000007470F000-memory.dmp

memory/2796-5-0x0000000004EC0000-0x0000000004EF6000-memory.dmp

memory/2796-6-0x0000000074700000-0x0000000074EB1000-memory.dmp

memory/2796-7-0x0000000005690000-0x0000000005CBA000-memory.dmp

memory/2796-8-0x00000000055B0000-0x00000000055D2000-memory.dmp

memory/2796-10-0x0000000005DE0000-0x0000000005E46000-memory.dmp

memory/2796-9-0x0000000005D70000-0x0000000005DD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dykww1qb.mob.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2796-19-0x0000000005E50000-0x00000000061A7000-memory.dmp

memory/2796-20-0x0000000006360000-0x000000000637E000-memory.dmp

memory/2796-21-0x0000000006390000-0x00000000063DC000-memory.dmp

memory/2796-22-0x0000000006750000-0x0000000006796000-memory.dmp

memory/2796-25-0x0000000070B00000-0x0000000070E57000-memory.dmp

memory/2796-35-0x0000000074700000-0x0000000074EB1000-memory.dmp

memory/2796-34-0x00000000077B0000-0x00000000077CE000-memory.dmp

memory/2796-23-0x0000000007750000-0x0000000007784000-memory.dmp

memory/2796-24-0x0000000070970000-0x00000000709BC000-memory.dmp

memory/2796-36-0x00000000077D0000-0x0000000007874000-memory.dmp

memory/2796-37-0x0000000074700000-0x0000000074EB1000-memory.dmp

memory/2796-39-0x0000000007900000-0x000000000791A000-memory.dmp

memory/2796-38-0x0000000007F40000-0x00000000085BA000-memory.dmp

memory/2796-40-0x0000000007940000-0x000000000794A000-memory.dmp

memory/2796-41-0x0000000007A50000-0x0000000007AE6000-memory.dmp

memory/2796-42-0x0000000007960000-0x0000000007971000-memory.dmp

memory/2796-43-0x00000000079B0000-0x00000000079BE000-memory.dmp

memory/2796-44-0x00000000079C0000-0x00000000079D5000-memory.dmp

memory/2796-45-0x0000000007A10000-0x0000000007A2A000-memory.dmp

memory/2796-46-0x0000000007A30000-0x0000000007A38000-memory.dmp

memory/2796-49-0x0000000074700000-0x0000000074EB1000-memory.dmp

memory/2892-52-0x0000000004AA0000-0x0000000004E9C000-memory.dmp

memory/2892-51-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1588-58-0x0000000005FC0000-0x0000000006317000-memory.dmp

memory/2892-62-0x0000000004EA0000-0x000000000578B000-memory.dmp

memory/1588-63-0x0000000070970000-0x00000000709BC000-memory.dmp

memory/1588-73-0x00000000076A0000-0x0000000007744000-memory.dmp

memory/1588-64-0x0000000070BC0000-0x0000000070F17000-memory.dmp

memory/1588-74-0x00000000079E0000-0x00000000079F1000-memory.dmp

memory/1588-75-0x0000000007A30000-0x0000000007A45000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ed84913e909223bbe0d2820204549d13
SHA1 d2a1b6fb6e7e7583b5fb0b4c85efb65785971c60
SHA256 f247443e6406b6a0808fcc1cb61b30ffc3e046c661916eb5f3d79950bc546a53
SHA512 c0c625cce1066db9f07a807e8a993b075d55d64f2796d540d60203d4fdb35829b0bdea554c2e732ed1ebb80b7cc3b8b6884cdd2b39c54a8d61e9a9fdbfc2f0e9

memory/1276-89-0x0000000070BC0000-0x0000000070F17000-memory.dmp

memory/1276-88-0x0000000070970000-0x00000000709BC000-memory.dmp

memory/2272-107-0x0000000005770000-0x0000000005AC7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 076b9e6a77fe5689abbdd9af87c364ba
SHA1 fcc27c6c8165188cf7bd084d3efff6136766f762
SHA256 07ede9c8f01e64397630d5023d81bf4ebc4652eaa3b428c9740a797521b14490
SHA512 1fbae55f687696d38441af671ebe4a50b3e8b836c38c8629d7e26b4a6442803264a4af00ddba464fbced0013eabebb1ee6759761ad3a2439cb1dcc1564948f80

memory/2272-110-0x00000000712B0000-0x0000000071607000-memory.dmp

memory/2272-109-0x0000000070970000-0x00000000709BC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0a9cfc2c2484a4c4faa964d90b7061f9
SHA1 0c2df07b92230a6ca9467a6ddbc9762e2093f669
SHA256 49279f6cbb00ced9f9cf65f4e7ec572c4ca66eef122c9a070bef7147b89ec7c4
SHA512 abca7098fcb20d168836609f48a78b18303252fe5df6c68fe22fe017c020ae26810105b3ae0ce1d70092b0a2253a06cdc124b02bdbfab0f6799a2697052622c7

memory/3456-123-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2892-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1300-136-0x0000000005660000-0x00000000059B7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 641a5f8d5d154a0066f80dc1f54aa408
SHA1 caa0a3fd44256da4ee5922277d84d01149611102
SHA256 ea8480f64956841d0862e9c8025f56c56d3b266e54368d8092ad29485ac3e698
SHA512 8611e9ecc6431c9a279a1ac08ff27be894c644a2c122f6861c69cfb75e7a5ea2c18530837f5db322a2e381e9d3fd498a8e71abd28924d00bd73676b0488da3f8

memory/1300-138-0x0000000070970000-0x00000000709BC000-memory.dmp

memory/1300-139-0x0000000070B10000-0x0000000070E67000-memory.dmp

memory/1940-157-0x0000000006270000-0x00000000065C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b624eb9aeddadd3ef8a6e06d876fb913
SHA1 9d916b828d04c63588f15ba3fb2c70c33adfadc4
SHA256 f6f606fae5a84e75985172f4e7cbbc95220b0887fcb205c2cfc995068ece163a
SHA512 4c4135cfbaab8d053c2b75f432a31a3c61ef91a4dcce717677e8f47520d9d5cb533d606c42fff412482f9f050780332d56b0b19352ac09be1c72efa8c715265b

memory/1940-159-0x0000000006E30000-0x0000000006E7C000-memory.dmp

memory/1940-160-0x0000000070890000-0x00000000708DC000-memory.dmp

memory/1940-170-0x0000000007AD0000-0x0000000007B74000-memory.dmp

memory/1940-161-0x0000000070A80000-0x0000000070DD7000-memory.dmp

memory/1940-171-0x0000000007E10000-0x0000000007E21000-memory.dmp

memory/1940-172-0x0000000006650000-0x0000000006665000-memory.dmp

memory/3880-182-0x00000000061A0000-0x00000000064F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b9db25179e81ca61b1fb9ef6f90a611d
SHA1 d34564867fc3ffd0f5a135c0faaf812d7a517726
SHA256 7668697a1bf3182a3379b9728ffc81d780da38d006dff6e90e61e539eef4f6b9
SHA512 a715262a35549ebc4df858bf618f15c7834abb04125e6efa295758ebaadbf43107a888fb0811816ad67661aae73846469817ca60b3c57418597d48f3a5efa9b1

memory/3880-184-0x0000000070890000-0x00000000708DC000-memory.dmp

memory/3880-185-0x0000000070A10000-0x0000000070D67000-memory.dmp

memory/3412-195-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1692-206-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3412-205-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1784-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1692-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1784-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3412-214-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3412-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1784-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3412-219-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3412-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3412-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3412-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3412-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3412-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3412-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3412-241-0x0000000000400000-0x0000000002B0B000-memory.dmp