Malware Analysis Report

2025-01-02 06:31

Sample ID 240515-3hybashg3z
Target 3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f
SHA256 3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f

Threat Level: Known bad

The file 3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:31

Reported

2024-05-15 23:34

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1784 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1784 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\system32\cmd.exe
PID 4828 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\system32\cmd.exe
PID 748 wrote to memory of 3744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 748 wrote to memory of 3744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4828 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\rss\csrss.exe
PID 4828 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\rss\csrss.exe
PID 4828 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\rss\csrss.exe
PID 1972 wrote to memory of 4636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 4636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 4636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2016 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2016 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2016 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 4748 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1972 wrote to memory of 4748 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3608 wrote to memory of 1968 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 1968 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 1968 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe

"C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe

"C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0df96e12-1433-4983-8969-5a8220aa66b5.uuid.theupdatetime.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server6.theupdatetime.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.108:443 server6.theupdatetime.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BE 2.17.107.98:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 98.107.17.2.in-addr.arpa udp
BG 185.82.216.108:443 server6.theupdatetime.org tcp

Files

memory/1784-1-0x0000000004850000-0x0000000004C49000-memory.dmp

memory/1784-2-0x0000000004C50000-0x000000000553B000-memory.dmp

memory/1784-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2724-4-0x000000007429E000-0x000000007429F000-memory.dmp

memory/2724-5-0x0000000002D60000-0x0000000002D96000-memory.dmp

memory/2724-6-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/2724-7-0x00000000054D0000-0x0000000005AF8000-memory.dmp

memory/2724-8-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/2724-9-0x0000000005460000-0x0000000005482000-memory.dmp

memory/2724-11-0x0000000005D10000-0x0000000005D76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0zypqlly.wth.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2724-10-0x0000000005C30000-0x0000000005C96000-memory.dmp

memory/2724-21-0x0000000005F10000-0x0000000006264000-memory.dmp

memory/2724-22-0x0000000006300000-0x000000000631E000-memory.dmp

memory/2724-23-0x0000000006340000-0x000000000638C000-memory.dmp

memory/2724-24-0x0000000007440000-0x0000000007484000-memory.dmp

memory/2724-25-0x0000000007630000-0x00000000076A6000-memory.dmp

memory/2724-27-0x00000000076D0000-0x00000000076EA000-memory.dmp

memory/2724-26-0x0000000007D30000-0x00000000083AA000-memory.dmp

memory/2724-31-0x00000000702B0000-0x0000000070604000-memory.dmp

memory/2724-41-0x00000000078D0000-0x00000000078EE000-memory.dmp

memory/2724-42-0x00000000078F0000-0x0000000007993000-memory.dmp

memory/2724-30-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/2724-29-0x0000000070130000-0x000000007017C000-memory.dmp

memory/2724-44-0x00000000079E0000-0x00000000079EA000-memory.dmp

memory/2724-43-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/2724-46-0x0000000007A00000-0x0000000007A11000-memory.dmp

memory/2724-45-0x0000000007AA0000-0x0000000007B36000-memory.dmp

memory/2724-28-0x0000000007890000-0x00000000078C2000-memory.dmp

memory/2724-47-0x0000000007A40000-0x0000000007A4E000-memory.dmp

memory/2724-48-0x0000000007A50000-0x0000000007A64000-memory.dmp

memory/2724-50-0x0000000007A90000-0x0000000007A98000-memory.dmp

memory/2724-49-0x0000000007B40000-0x0000000007B5A000-memory.dmp

memory/2724-53-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/1784-55-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1784-56-0x0000000004850000-0x0000000004C49000-memory.dmp

memory/4152-62-0x0000000005600000-0x0000000005954000-memory.dmp

memory/1784-67-0x0000000004C50000-0x000000000553B000-memory.dmp

memory/4152-68-0x0000000070130000-0x000000007017C000-memory.dmp

memory/4152-69-0x00000000708B0000-0x0000000070C04000-memory.dmp

memory/4152-79-0x0000000006E50000-0x0000000006EF3000-memory.dmp

memory/4152-80-0x0000000007180000-0x0000000007191000-memory.dmp

memory/4152-81-0x00000000071D0000-0x00000000071E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1724-94-0x0000000006210000-0x0000000006564000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3daa6c6d58447270d708fce6e856db96
SHA1 c468a1cc8ffd8af390e49503bbb3eaf3b4edaf0f
SHA256 97b7fc06828467c8550669d9e1798bafe9fb3b123039f6f7e2c4a2a87112c4d6
SHA512 41c58f8b09611cabaa781c5dba729cc9aecd6e2d3c402e6d0363bb02a9fa5f26142d6155e241d37be610880907e324189221a121ae6b7471225d4560973193fc

memory/1724-97-0x0000000070700000-0x0000000070A54000-memory.dmp

memory/1724-96-0x0000000070130000-0x000000007017C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 eff1842551d8550e9af001e833df50f3
SHA1 52289c42d7a55e315721fd390104b7fc819bebfa
SHA256 f400a449b153f0d0dcbde714ea130679f21e1301797a796a500a2801e320258a
SHA512 84d60c10f0532eaa09831d01d8561764eb8cf9fef75eddf3269ebd8ec64b5bdc09ffe17457a2b75f8af106aeda7e48b5ea8d4435854e0c146e312ef15683ff90

memory/548-119-0x00000000708B0000-0x0000000070C04000-memory.dmp

memory/548-118-0x0000000070130000-0x000000007017C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c7322e07da3446de25d2c0d2aaf0be31
SHA1 3bf66312122519f06337bddd55823e6c894390a9
SHA256 3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f
SHA512 da57d9206a8e7978b163231af375df6086545bb723d5759cd4f1e5778c9540e7a8bfe124b7aa181ea91e27c42ef80cc934be5626e0fbdd5faa9822c97571a475

memory/1784-137-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4828-136-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4636-147-0x00000000054F0000-0x0000000005844000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bab01858243049b29c6b9654e142cdfd
SHA1 aaff52ab340491459ec83df125b15150ef2c1b7c
SHA256 93c5e1d12244c7ed9f97041cb0c8cd16b57984f310f0172b0e633de43376bbe5
SHA512 efa61be8f9ce501cab98cfd48cd866989dfd8e9daca849df5f08a7837ca0854ec545cf3e6e135509226c145a6c317f83172ebbfd672ffd58ef69ebefc73749b1

memory/4636-149-0x0000000070130000-0x000000007017C000-memory.dmp

memory/4636-150-0x00000000708D0000-0x0000000070C24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ba8bb9a40f5467ba40e9e1a1d5df1262
SHA1 4c849202d583c58e8beae246788ee22fb371f6eb
SHA256 11709caf8c4fcb03ff4d1a6aabf5edc264f8133beb8f79c28213ce6e8bc84638
SHA512 da3ede517bfd508395b2c6f0d9c55132932404e92f20650a73c248bc3ac0be4becc30276cb047b1f8e6698be8bfaac136e14fcd8e513e4201367cde09ea2efc8

memory/2016-166-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

memory/2016-172-0x0000000006350000-0x000000000639C000-memory.dmp

memory/2016-173-0x0000000070050000-0x000000007009C000-memory.dmp

memory/2016-174-0x00000000707E0000-0x0000000070B34000-memory.dmp

memory/2016-184-0x0000000007590000-0x0000000007633000-memory.dmp

memory/2016-185-0x0000000007730000-0x0000000007741000-memory.dmp

memory/2016-186-0x0000000006120000-0x0000000006134000-memory.dmp

memory/3632-197-0x0000000005E70000-0x00000000061C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 af15b9f3c210849e6a366f38b941dacc
SHA1 a235ea15472be44686bbccbfa4204a49d48c0136
SHA256 63aedb74197ae22bbcc165f0fffb917cd02089a899a72f332c24827b8b0db4f3
SHA512 fc4abbe59b1cf4a6a3680bb72904ef579d42e303e9119f94f673a443feacc405f7f5387e5dad596ddce3b2a29ef30ed0cd6b391f2d0568e99bc6850529a591da

memory/3632-199-0x0000000070050000-0x000000007009C000-memory.dmp

memory/3632-200-0x0000000070780000-0x0000000070AD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1972-218-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3608-223-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1196-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3608-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1972-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1196-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1972-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1972-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1196-240-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1972-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1972-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1972-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1972-252-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1972-256-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1972-260-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1972-265-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1972-269-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:31

Reported

2024-05-15 23:34

Platform

win11-20240508-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\system32\cmd.exe
PID 3236 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\system32\cmd.exe
PID 4972 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4972 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3236 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\rss\csrss.exe
PID 3236 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\rss\csrss.exe
PID 3236 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe C:\Windows\rss\csrss.exe
PID 5068 wrote to memory of 4856 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 4856 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 4856 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 3340 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 3340 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 3340 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 1448 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 1448 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 1448 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 4300 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5068 wrote to memory of 4300 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4384 wrote to memory of 3440 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4384 wrote to memory of 3440 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4384 wrote to memory of 3440 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe

"C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe

"C:\Users\Admin\AppData\Local\Temp\3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 da610211-2143-45c4-9316-23dd8d0dbb33.uuid.theupdatetime.org udp
US 8.8.8.8:53 server10.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server10.theupdatetime.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.108:443 server10.theupdatetime.org tcp

Files

memory/2440-1-0x00000000048B0000-0x0000000004CB6000-memory.dmp

memory/2440-2-0x0000000004CC0000-0x00000000055AB000-memory.dmp

memory/2440-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2468-4-0x000000007429E000-0x000000007429F000-memory.dmp

memory/2468-5-0x0000000002E60000-0x0000000002E96000-memory.dmp

memory/2468-7-0x0000000074290000-0x0000000074A41000-memory.dmp

memory/2468-6-0x0000000005700000-0x0000000005D2A000-memory.dmp

memory/2468-8-0x0000000005650000-0x0000000005672000-memory.dmp

memory/2468-9-0x0000000005D30000-0x0000000005D96000-memory.dmp

memory/2468-10-0x0000000005DA0000-0x0000000005E06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vvbc10oy.mfz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2468-19-0x0000000074290000-0x0000000074A41000-memory.dmp

memory/2468-20-0x0000000005E60000-0x00000000061B7000-memory.dmp

memory/2468-21-0x0000000006300000-0x000000000631E000-memory.dmp

memory/2468-22-0x0000000006330000-0x000000000637C000-memory.dmp

memory/2468-23-0x0000000006880000-0x00000000068C6000-memory.dmp

memory/2468-25-0x0000000007710000-0x0000000007744000-memory.dmp

memory/2468-26-0x0000000070500000-0x000000007054C000-memory.dmp

memory/2468-27-0x0000000070680000-0x00000000709D7000-memory.dmp

memory/2468-37-0x0000000007790000-0x0000000007834000-memory.dmp

memory/2468-36-0x0000000007770000-0x000000000778E000-memory.dmp

memory/2440-24-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2468-38-0x0000000074290000-0x0000000074A41000-memory.dmp

memory/2468-39-0x0000000074290000-0x0000000074A41000-memory.dmp

memory/2468-40-0x0000000007F00000-0x000000000857A000-memory.dmp

memory/2468-41-0x00000000078C0000-0x00000000078DA000-memory.dmp

memory/2468-42-0x0000000007900000-0x000000000790A000-memory.dmp

memory/2468-43-0x0000000007A10000-0x0000000007AA6000-memory.dmp

memory/2468-44-0x0000000007920000-0x0000000007931000-memory.dmp

memory/2468-45-0x0000000007970000-0x000000000797E000-memory.dmp

memory/2468-46-0x0000000007980000-0x0000000007995000-memory.dmp

memory/2468-47-0x00000000079D0000-0x00000000079EA000-memory.dmp

memory/2468-48-0x00000000079F0000-0x00000000079F8000-memory.dmp

memory/2468-51-0x0000000074290000-0x0000000074A41000-memory.dmp

memory/2440-53-0x00000000048B0000-0x0000000004CB6000-memory.dmp

memory/2440-54-0x0000000004CC0000-0x00000000055AB000-memory.dmp

memory/2252-63-0x00000000062D0000-0x0000000006627000-memory.dmp

memory/2440-64-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2252-65-0x0000000070500000-0x000000007054C000-memory.dmp

memory/2252-66-0x0000000070730000-0x0000000070A87000-memory.dmp

memory/2252-75-0x0000000007A90000-0x0000000007B34000-memory.dmp

memory/2252-76-0x0000000007DB0000-0x0000000007DC1000-memory.dmp

memory/2440-78-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2252-79-0x0000000007E00000-0x0000000007E15000-memory.dmp

memory/3236-77-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 15bebbb51db6e8b1a35f1f70dbfdf9ef
SHA1 35e1e561400900a3a8b14e335a65b3a1d1850827
SHA256 c022fd74e816d7c9cf54a9ba353764937d838a530a066582cb08d45a3ae1b2ad
SHA512 c436de2f12f2c8e31e661bb30497cffe6e2fb2d564676f6000212a2dc39290b81e98e7d1cff67b44158125a7f5bfa8a0a904d26886c86606f44364bbc63ca9c2

memory/1380-92-0x0000000070500000-0x000000007054C000-memory.dmp

memory/1380-93-0x0000000070680000-0x00000000709D7000-memory.dmp

memory/1432-111-0x0000000006000000-0x0000000006357000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ea412bb9e2fc51d814704e40b7fca2a3
SHA1 3670a8045d37d40d427bd8108c8e7d4d03fe878a
SHA256 52d340ba8d1478e76f824b6b498bd6f944cc4611506eee5a7c148c351d4cb6ab
SHA512 e58d9b5addfd2ac439df1abe5575813aefcafe9c6ca2094266521a6b4b960476098ba91c076035852bb4fb299d3e3e36967fc001f87cf52e66839de49a0cc411

memory/1432-113-0x0000000070500000-0x000000007054C000-memory.dmp

memory/1432-114-0x0000000070710000-0x0000000070A67000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c7322e07da3446de25d2c0d2aaf0be31
SHA1 3bf66312122519f06337bddd55823e6c894390a9
SHA256 3a5c13236435bda7fab6a3d620f43ed177a3ee025ef939052fa2522cb498f74f
SHA512 da57d9206a8e7978b163231af375df6086545bb723d5759cd4f1e5778c9540e7a8bfe124b7aa181ea91e27c42ef80cc934be5626e0fbdd5faa9822c97571a475

memory/3236-130-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d22784736dc632209351ea3ccdbc69b9
SHA1 0b351f0d343c72e85b1bf7da0f4f735c9904c75a
SHA256 b6169a196232081006079afb412833bdc2c4473a11d02d6b4bedcbcf02432b43
SHA512 1ed7ac0bf38dd597426f5781e82033061d8c11f8d75274d15636d216904e6b290543196c26980bdd65be8dba4290c01288ffaaee1dfea3c4cb2fd153bd8ad229

memory/4856-141-0x0000000070500000-0x000000007054C000-memory.dmp

memory/4856-142-0x0000000070680000-0x00000000709D7000-memory.dmp

memory/3340-158-0x0000000006230000-0x0000000006587000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2e984936c81e9025d798395648c34daf
SHA1 5ddf2a3751cbca76811ababcfea4529868000b28
SHA256 7e8e98a3653fcb58b55784431d44500b09be4ac90b6b6378a57e24105c6635b7
SHA512 f88978136a755047bc8f402bd52b5daa72b29e72d2f815232e90fbd31add1a9cadba9d137f06a390fe8166d6a7da40e5014c5be0fb8a9a88f16555fb644150e1

memory/3340-163-0x0000000006810000-0x000000000685C000-memory.dmp

memory/3340-164-0x0000000070420000-0x000000007046C000-memory.dmp

memory/3340-165-0x0000000070650000-0x00000000709A7000-memory.dmp

memory/3340-174-0x0000000007A40000-0x0000000007AE4000-memory.dmp

memory/3340-175-0x00000000065D0000-0x00000000065E1000-memory.dmp

memory/3340-176-0x0000000006610000-0x0000000006625000-memory.dmp

memory/1448-186-0x0000000005590000-0x00000000058E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5c6b2fd0f14214314bd6ab8ae7882584
SHA1 911fd68ef7cc9dd69134097bc738ccde0e41e77f
SHA256 8d2f0b67e973a454f274d4f1c20c10adf11fea425a1318156dde5351ca7527f6
SHA512 5f71fce3ad1aa3dcd59359c8d92a4045e3c52c2f5fa94cb1e101e4af9e2d84a36092deda372fd680d0e518f3620de4669de949137c35005f0fddb8a7a52b4343

memory/1448-189-0x0000000070420000-0x000000007046C000-memory.dmp

memory/1448-190-0x0000000070670000-0x00000000709C7000-memory.dmp

memory/5068-200-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4384-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/328-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4384-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5068-214-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/328-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5068-220-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5068-224-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/328-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5068-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5068-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5068-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5068-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5068-244-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5068-248-0x0000000000400000-0x0000000002B0B000-memory.dmp