Malware Analysis Report

2025-01-02 06:32

Sample ID 240515-3jm7qaab28
Target e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa
SHA256 e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa

Threat Level: Known bad

The file e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:32

Reported

2024-05-15 23:35

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4644 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\system32\cmd.exe
PID 4292 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\system32\cmd.exe
PID 3292 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3292 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\rss\csrss.exe
PID 4292 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\rss\csrss.exe
PID 4292 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\rss\csrss.exe
PID 4772 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 3368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 3368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 3368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 3780 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4772 wrote to memory of 3780 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 632 wrote to memory of 4360 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 632 wrote to memory of 4360 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 632 wrote to memory of 4360 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4360 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4360 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe

"C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe

"C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
BE 2.17.107.112:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 112.107.17.2.in-addr.arpa udp
BE 2.17.107.112:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 94ca3932-828a-41e9-acf7-5518ed1fe6f1.uuid.myfastupdate.org udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server14.myfastupdate.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.111:443 server14.myfastupdate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
BG 185.82.216.111:443 server14.myfastupdate.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.111:443 server14.myfastupdate.org tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/4644-1-0x0000000004820000-0x0000000004C27000-memory.dmp

memory/4644-2-0x0000000004C30000-0x000000000551B000-memory.dmp

memory/4644-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/756-4-0x000000007457E000-0x000000007457F000-memory.dmp

memory/756-5-0x0000000002AE0000-0x0000000002B16000-memory.dmp

memory/756-7-0x00000000052A0000-0x00000000058C8000-memory.dmp

memory/756-6-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/756-8-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/756-9-0x00000000051E0000-0x0000000005202000-memory.dmp

memory/756-11-0x0000000005AA0000-0x0000000005B06000-memory.dmp

memory/756-10-0x00000000059C0000-0x0000000005A26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apivt0wn.01h.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/756-21-0x0000000005B10000-0x0000000005E64000-memory.dmp

memory/756-22-0x00000000060B0000-0x00000000060CE000-memory.dmp

memory/756-23-0x00000000060F0000-0x000000000613C000-memory.dmp

memory/756-24-0x0000000006680000-0x00000000066C4000-memory.dmp

memory/756-25-0x00000000073E0000-0x0000000007456000-memory.dmp

memory/756-27-0x0000000007480000-0x000000000749A000-memory.dmp

memory/756-26-0x0000000007AE0000-0x000000000815A000-memory.dmp

memory/756-41-0x0000000007670000-0x000000000768E000-memory.dmp

memory/756-31-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/756-30-0x0000000070B90000-0x0000000070EE4000-memory.dmp

memory/756-42-0x0000000007690000-0x0000000007733000-memory.dmp

memory/756-28-0x0000000007630000-0x0000000007662000-memory.dmp

memory/756-43-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/756-44-0x0000000007780000-0x000000000778A000-memory.dmp

memory/756-29-0x0000000070410000-0x000000007045C000-memory.dmp

memory/756-45-0x0000000007840000-0x00000000078D6000-memory.dmp

memory/756-46-0x00000000077A0000-0x00000000077B1000-memory.dmp

memory/756-47-0x00000000077E0000-0x00000000077EE000-memory.dmp

memory/756-48-0x00000000077F0000-0x0000000007804000-memory.dmp

memory/756-49-0x00000000078E0000-0x00000000078FA000-memory.dmp

memory/756-50-0x0000000007830000-0x0000000007838000-memory.dmp

memory/756-53-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/4644-55-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4644-65-0x0000000004820000-0x0000000004C27000-memory.dmp

memory/4644-66-0x0000000004C30000-0x000000000551B000-memory.dmp

memory/1468-67-0x0000000070410000-0x000000007045C000-memory.dmp

memory/1468-78-0x0000000007940000-0x00000000079E3000-memory.dmp

memory/1468-68-0x0000000070B90000-0x0000000070EE4000-memory.dmp

memory/1468-79-0x0000000007C50000-0x0000000007C61000-memory.dmp

memory/1468-80-0x0000000007CA0000-0x0000000007CB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2820-93-0x0000000005570000-0x00000000058C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 71e304b78413202b63572f6fce3353db
SHA1 a487808f4c1477c9a57d5310f2e6128b22d4d2c4
SHA256 3ae832ad8b8b536d32c0070ba1b00c6bc977a3241c5a8e78ad7b71a83d08cd75
SHA512 2bbd8cbc0624fbcce4594b706a0438d1f5f694bae1de9b3d2f703556a03c6d28e173971321a65e132aa3e1d655756f9fd2fc61b72decf41e1b022225ddc02886

memory/2820-95-0x0000000070410000-0x000000007045C000-memory.dmp

memory/2820-96-0x00000000705D0000-0x0000000070924000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 feb15ae948508479b70e7a060a23b90f
SHA1 396e8751d2bc922c57428982c08397f04ecd2541
SHA256 658cf9a47f64eb6f2445b68d970aec1968f53aa1aa58c23b2d28c125f6e19ed0
SHA512 575317129b87a95f5392922472df53fa9b12f641d0114c62d744bd92547eaeebe4e4cd1fe84ce40cea30cbea380977bc0842f4fafba0709179cc46d42ca8cf33

memory/1448-118-0x0000000070B90000-0x0000000070EE4000-memory.dmp

memory/1448-117-0x0000000070410000-0x000000007045C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c65c2f1ae7063f154ff25c2b43e62009
SHA1 2dec1a506d7da744afbdef49f996e758ebe5af8b
SHA256 e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa
SHA512 3c2e0762c2a87085610d6fe34d23e423ab7e2cc5850a1346508a4c82fddfd2fd645c0b35861308127db2d3069a770ff9304c18da1a5e73963e6d673b4a66e801

memory/4644-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4292-135-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3632-146-0x0000000006310000-0x0000000006664000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3b68151509f9d3ba5d61c97c3a0a039c
SHA1 9cf73589236f4bde9f6ba8015a99f70618929ee0
SHA256 fca54eacc194e489b95ae874310d8045a1e2ba101db04c922da9e135554c36fd
SHA512 5dde5895d6a3aa54f3a6912ce032cd69229464a8b1e9a07c99faeec81e8d24f92466965ebd66f1488a76a04cc4c932c16baea81a13e930c6eb8b815e4ec96899

memory/3632-149-0x0000000070590000-0x00000000708E4000-memory.dmp

memory/3632-148-0x0000000070410000-0x000000007045C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2eda7d30dc201e83c4e81a5fca01bdec
SHA1 449523685e06af21015db154459c99fcfd9db6cc
SHA256 fbe5d5fbeda9cf52e5766b3cd255cf3953fdcba06f398c38bf90ffc4b09a9bd1
SHA512 50cdc0f4ef18565e891da8d25541aed1a0440b430221065fce6172dd17fdb420c0ce20a5517091bc89ceaaa01acda8ca1f8d83caa6544a7846bc64caa0e0e0a1

memory/3368-169-0x00000000063A0000-0x00000000066F4000-memory.dmp

memory/3368-171-0x0000000006CA0000-0x0000000006CEC000-memory.dmp

memory/3368-172-0x0000000070330000-0x000000007037C000-memory.dmp

memory/3368-183-0x0000000007A90000-0x0000000007B33000-memory.dmp

memory/3368-173-0x00000000704B0000-0x0000000070804000-memory.dmp

memory/3368-184-0x0000000007DC0000-0x0000000007DD1000-memory.dmp

memory/3368-185-0x0000000006250000-0x0000000006264000-memory.dmp

memory/700-196-0x0000000005CB0000-0x0000000006004000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7c005cc326b0e28f583481dd0c01f843
SHA1 536ddab52bdbfd98926b6a17c705b4c5d3cba546
SHA256 cb21401850fe63ef33b9656e258596d175637ad026100a413ead5aa20dde654c
SHA512 f9d39559ebc07dcf0190a188d19b335984422291389c0ee488d07d1c7b89b37096047216f9d0b4b3813c2070f60d031b896733967dcb96534e21fe8c7edf6f1f

memory/700-199-0x00000000704E0000-0x0000000070834000-memory.dmp

memory/700-198-0x0000000070330000-0x000000007037C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4772-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/632-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/880-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/632-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4772-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/880-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4772-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4772-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/880-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4772-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4772-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4772-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4772-252-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4772-256-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4772-260-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4772-265-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4772-269-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:32

Reported

2024-05-15 23:35

Platform

win11-20240426-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4272 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\system32\cmd.exe
PID 1792 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\system32\cmd.exe
PID 840 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 840 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1792 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\rss\csrss.exe
PID 1792 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\rss\csrss.exe
PID 1792 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe C:\Windows\rss\csrss.exe
PID 4328 wrote to memory of 3840 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 3840 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 3840 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 2300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 2300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 2300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 4660 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 4660 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 4660 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 544 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4328 wrote to memory of 544 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3720 wrote to memory of 564 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 564 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 564 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 564 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 564 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe

"C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe

"C:\Users\Admin\AppData\Local\Temp\e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 222b25ea-d20a-40b4-93e2-ff15332c4a3d.uuid.myfastupdate.org udp
US 8.8.8.8:53 server13.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.111:443 server13.myfastupdate.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server13.myfastupdate.org tcp
BG 185.82.216.111:443 server13.myfastupdate.org tcp

Files

memory/4272-1-0x0000000004760000-0x0000000004B62000-memory.dmp

memory/4272-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4272-2-0x0000000004C70000-0x000000000555B000-memory.dmp

memory/1120-4-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

memory/1120-5-0x0000000002820000-0x0000000002856000-memory.dmp

memory/1120-7-0x0000000005130000-0x000000000575A000-memory.dmp

memory/1120-6-0x0000000073E70000-0x0000000074621000-memory.dmp

memory/1120-8-0x0000000004D60000-0x0000000004D82000-memory.dmp

memory/1120-9-0x0000000073E70000-0x0000000074621000-memory.dmp

memory/1120-11-0x00000000057D0000-0x0000000005836000-memory.dmp

memory/1120-10-0x0000000004F80000-0x0000000004FE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qnl1qj0r.uxc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1120-20-0x0000000005840000-0x0000000005B97000-memory.dmp

memory/1120-21-0x0000000005D00000-0x0000000005D1E000-memory.dmp

memory/1120-22-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

memory/1120-23-0x00000000062B0000-0x00000000062F6000-memory.dmp

memory/1120-25-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/1120-24-0x0000000007110000-0x0000000007144000-memory.dmp

memory/1120-27-0x0000000073E70000-0x0000000074621000-memory.dmp

memory/1120-36-0x0000000007170000-0x000000000718E000-memory.dmp

memory/1120-26-0x0000000070260000-0x00000000705B7000-memory.dmp

memory/1120-37-0x0000000007190000-0x0000000007234000-memory.dmp

memory/1120-38-0x0000000073E70000-0x0000000074621000-memory.dmp

memory/1120-40-0x00000000072C0000-0x00000000072DA000-memory.dmp

memory/1120-39-0x0000000007900000-0x0000000007F7A000-memory.dmp

memory/1120-41-0x0000000007300000-0x000000000730A000-memory.dmp

memory/1120-42-0x0000000007410000-0x00000000074A6000-memory.dmp

memory/1120-43-0x0000000007320000-0x0000000007331000-memory.dmp

memory/1120-44-0x0000000007370000-0x000000000737E000-memory.dmp

memory/1120-45-0x0000000007380000-0x0000000007395000-memory.dmp

memory/1120-46-0x00000000073D0000-0x00000000073EA000-memory.dmp

memory/1120-47-0x00000000073F0000-0x00000000073F8000-memory.dmp

memory/1120-50-0x0000000073E70000-0x0000000074621000-memory.dmp

memory/4272-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4272-53-0x0000000004760000-0x0000000004B62000-memory.dmp

memory/1420-62-0x0000000005980000-0x0000000005CD7000-memory.dmp

memory/4272-63-0x0000000004C70000-0x000000000555B000-memory.dmp

memory/1420-64-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/1420-74-0x00000000070B0000-0x0000000007154000-memory.dmp

memory/1420-65-0x0000000070330000-0x0000000070687000-memory.dmp

memory/1420-75-0x00000000073E0000-0x00000000073F1000-memory.dmp

memory/1420-76-0x0000000007430000-0x0000000007445000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2020-88-0x0000000006340000-0x0000000006697000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 853c370d6a40b2cd45eed1c7b86a77bb
SHA1 769cb381ef0f1bb99e70c9d1d068eaae16788679
SHA256 fa7030164819bd92a8c9927ec8cddc6ece52973fb0827f2995b70ba8da7a0b7e
SHA512 e10848508d311e1282c811bbe7b07f012880400c9727ec9dcc8c6e5590e6216861d5962932d57ce5f6c9e021c018f82501681a118e9dc7c18031b7c122fbf7b0

memory/2020-91-0x00000000702D0000-0x0000000070627000-memory.dmp

memory/2020-90-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/4116-109-0x0000000005ED0000-0x0000000006227000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 004aebfc431017001f31f7b30012c325
SHA1 8b3ff02a52e63dc1c3da458469e680e93cbf4dd5
SHA256 cd18f7860b60e822625a71e3f963b59f124bc7117cddb5d94a7b8b37c86aac9e
SHA512 7bb4abdd3b7f5214d8624be504ac55660b617dda8c612f7bca3572bf5c30ec9b8a92de9fe8305bc2c8bb9ad790d629cb98db0b00258ec8bb2911d2a8fbb28d72

memory/4116-111-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/4116-112-0x0000000070280000-0x00000000705D7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c65c2f1ae7063f154ff25c2b43e62009
SHA1 2dec1a506d7da744afbdef49f996e758ebe5af8b
SHA256 e63e939b3a432162012c97b3648e7c17334f4070345a05518a6377006437b7fa
SHA512 3c2e0762c2a87085610d6fe34d23e423ab7e2cc5850a1346508a4c82fddfd2fd645c0b35861308127db2d3069a770ff9304c18da1a5e73963e6d673b4a66e801

memory/4272-129-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1792-128-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3513cd83882c75e4a5e69430484bab0e
SHA1 2df0f3a132c41a432eb4ecb0fca5a53c15e176c6
SHA256 c0d43a8e777221c6debc6581dc8d4a8f4908bb3135ed7d55495728f6a680c08b
SHA512 eb35c7ab1306b0d87ecdae1d4ec5726ae46f953d15176ebe7fefda821bba29bab6a8220bc353634887f0cc79dc6b653f3b3e4795cb01f2cbc242d9774c76186f

memory/3840-139-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/3840-140-0x0000000070260000-0x00000000705B7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0d3ad793bef2eac6747e6fbb96d88fc3
SHA1 00ce15d0e4a257fca09c0693f0a9b8f0d9143bf5
SHA256 10ea7b5427a0f81f7f6c624a8a4cb1da16c1cad95f70d66c042a39e08274fe5d
SHA512 b1bfe810d608b3d390f4d9f1dffb660754c981532079c26cb3b940532f1c14855b6de64c8379b83defe2d5e00f2f42020633cc3a2ce3b17ac3cdac405b3fe4a1

memory/2300-158-0x0000000005A80000-0x0000000005DD7000-memory.dmp

memory/2300-160-0x0000000005FF0000-0x000000000603C000-memory.dmp

memory/2300-162-0x0000000070250000-0x00000000705A7000-memory.dmp

memory/2300-161-0x0000000070000000-0x000000007004C000-memory.dmp

memory/2300-171-0x0000000007210000-0x00000000072B4000-memory.dmp

memory/2300-172-0x0000000007550000-0x0000000007561000-memory.dmp

memory/2300-173-0x00000000052F0000-0x0000000005305000-memory.dmp

memory/4660-183-0x0000000005FF0000-0x0000000006347000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fd33a4b3d17d9fe532ab10d958c8dcf7
SHA1 5257e7b1b9f5de0ee8b7b3df9c288ff0dd9c8fba
SHA256 7d3c76ca57a6d9dbf526ddfa96222f8c1829971216e77c9b0e76f5dc2262685e
SHA512 7e12865e42115b1def93869c6ed752330b2a0b10e370371a79f30ce9f1ae517b8a554b6ffb96c336230f048b7aa53be715e9ff94be8d401a8716a799af2306b2

memory/4660-185-0x0000000070000000-0x000000007004C000-memory.dmp

memory/4660-186-0x0000000070270000-0x00000000705C7000-memory.dmp

memory/4328-198-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3704-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3720-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3720-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4328-215-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3704-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4328-218-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4328-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3704-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4328-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4328-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4328-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4328-238-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4328-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4328-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4328-251-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4328-254-0x0000000000400000-0x0000000002B0B000-memory.dmp