Malware Analysis Report

2025-01-02 06:40

Sample ID 240515-s1396aga4x
Target 360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67
SHA256 360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67

Threat Level: Known bad

The file 360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 15:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 15:36

Reported

2024-05-15 15:39

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3312 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\system32\cmd.exe
PID 3040 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\system32\cmd.exe
PID 4496 wrote to memory of 3516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4496 wrote to memory of 3516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3040 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\rss\csrss.exe
PID 3040 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\rss\csrss.exe
PID 3040 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\rss\csrss.exe
PID 3692 wrote to memory of 2408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3692 wrote to memory of 2408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3692 wrote to memory of 2408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3692 wrote to memory of 3952 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3692 wrote to memory of 3952 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3692 wrote to memory of 3952 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3692 wrote to memory of 2172 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3692 wrote to memory of 2172 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3692 wrote to memory of 2172 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3692 wrote to memory of 4908 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3692 wrote to memory of 4908 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2740 wrote to memory of 3668 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 3668 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 3668 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3668 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3668 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe

"C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe

"C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.168:443 www.bing.com tcp
US 8.8.8.8:53 168.61.62.23.in-addr.arpa udp
NL 23.62.61.168:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 c3c31a1f-9580-46e1-837a-d3786cf774b3.uuid.statstraffic.org udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server11.statstraffic.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.104:443 server11.statstraffic.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.104:443 server11.statstraffic.org tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.104:443 server11.statstraffic.org tcp

Files

memory/3312-1-0x00000000047B0000-0x0000000004BB2000-memory.dmp

memory/3312-2-0x0000000004BC0000-0x00000000054AB000-memory.dmp

memory/3312-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1444-4-0x00000000749EE000-0x00000000749EF000-memory.dmp

memory/1444-5-0x0000000005340000-0x0000000005376000-memory.dmp

memory/1444-6-0x0000000005A10000-0x0000000006038000-memory.dmp

memory/1444-7-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/1444-8-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/1444-9-0x0000000006080000-0x00000000060A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0hmpkans.cnw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1444-16-0x0000000006290000-0x00000000062F6000-memory.dmp

memory/1444-10-0x0000000006220000-0x0000000006286000-memory.dmp

memory/1444-21-0x00000000064E0000-0x0000000006834000-memory.dmp

memory/1444-22-0x00000000068D0000-0x00000000068EE000-memory.dmp

memory/1444-23-0x0000000006920000-0x000000000696C000-memory.dmp

memory/1444-24-0x0000000006EA0000-0x0000000006EE4000-memory.dmp

memory/1444-25-0x0000000007A20000-0x0000000007A96000-memory.dmp

memory/1444-26-0x0000000008320000-0x000000000899A000-memory.dmp

memory/1444-27-0x0000000007CC0000-0x0000000007CDA000-memory.dmp

memory/3312-28-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1444-32-0x0000000070A00000-0x0000000070D54000-memory.dmp

memory/1444-31-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/1444-30-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/1444-29-0x0000000007E70000-0x0000000007EA2000-memory.dmp

memory/1444-42-0x0000000007EB0000-0x0000000007ECE000-memory.dmp

memory/1444-43-0x0000000007ED0000-0x0000000007F73000-memory.dmp

memory/1444-44-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/1444-45-0x0000000007FC0000-0x0000000007FCA000-memory.dmp

memory/1444-46-0x0000000008080000-0x0000000008116000-memory.dmp

memory/1444-47-0x0000000007FE0000-0x0000000007FF1000-memory.dmp

memory/1444-48-0x0000000008020000-0x000000000802E000-memory.dmp

memory/1444-49-0x0000000008030000-0x0000000008044000-memory.dmp

memory/1444-50-0x0000000008120000-0x000000000813A000-memory.dmp

memory/1444-51-0x0000000008060000-0x0000000008068000-memory.dmp

memory/1444-54-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/3312-56-0x00000000047B0000-0x0000000004BB2000-memory.dmp

memory/3312-58-0x0000000004BC0000-0x00000000054AB000-memory.dmp

memory/3312-57-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4108-68-0x00000000055C0000-0x0000000005914000-memory.dmp

memory/4108-69-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/4108-70-0x0000000070CA0000-0x0000000070FF4000-memory.dmp

memory/4108-80-0x0000000006E70000-0x0000000006F13000-memory.dmp

memory/3312-81-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4108-82-0x0000000007180000-0x0000000007191000-memory.dmp

memory/4108-83-0x00000000071D0000-0x00000000071E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ba177f280b18eccaae8e3f91ba7307a8
SHA1 18bff5fe6c4a34b7fad59b14fab24aa4f837a132
SHA256 1a0251af9d903179920c2fddebeac5f45c894c093e9e32b599ae3d40d171d7f1
SHA512 ed00334ec304503a7380c637135db1699bbf9ff04bfd0b0c53e8a250e89873ae6643e848d54830e5e43457c4802d59d71bd88e8adbdca0f16b8bdb33a5e594dd

memory/3040-96-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5028-98-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/5028-99-0x0000000070A00000-0x0000000070D54000-memory.dmp

memory/1688-115-0x0000000006240000-0x0000000006594000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 60ebc5d504d772d72ed211f3c3cc6d42
SHA1 604e97b9d90768d532d83c43490498c198afc1ff
SHA256 d1aff47695c6425a6dab48e802364b0d7e39880aea91dbe66ef61f70f30eadfa
SHA512 d8f13725b3d328ed54c6c1c933f5d21f437d2f3dad13609efdf24bb4784b6b9bc11df8eb49623d436d9bd7a7987196ca166139374ca171974df76a208204d045

memory/1688-121-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/1688-122-0x0000000071000000-0x0000000071354000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 8f2a3ef9906bc1028bde37950781d462
SHA1 8ea46de0941966fe1194c0c9ccdb5de7dfde12b4
SHA256 360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67
SHA512 3587532c1fc46e7cab60379044d9d7218534b233d031d68755ddfc25ba76b36d0d5a96c79698936dba35e56ce807357d84321d1868faf5ce5de5a8de971707c1

memory/3040-139-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b75aa63264258ab4925bfddbce8788b8
SHA1 a4229f187193dc97da7dc225c310306f47d7642f
SHA256 034821208635831ddd087ec18cb5db20ce37794df6e0d40fdf724efa0340e06e
SHA512 e32ac0f8071dcd7c74a4741262c6fab3ae2feccff4e7dd7f37ce14bf3c29eb3afded234e6a3ebcd756ec33192f025a872561da7c569e49603d519d4bf5fd1d71

memory/2408-151-0x0000000071000000-0x0000000071354000-memory.dmp

memory/2408-150-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/3952-171-0x00000000057C0000-0x0000000005B14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7afe8b99ee0aedf9f7186a14501a5746
SHA1 798d47827ec486be2c2528cad22a5e3f363eae50
SHA256 01adeda8feb0efc4ba9a823ed5acfaf1f45f6e5310ef5e26689d1c1946321622
SHA512 13a3ccb8742c86383f7806230284338a50dba6d237913e82a9270a929c5b3423eee38b1ded93452f6df957b0616a2adb873a8216529914dc9fc0d0fe5fc2108f

memory/3952-173-0x00000000063F0000-0x000000000643C000-memory.dmp

memory/3952-175-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/3952-177-0x0000000070F30000-0x0000000071284000-memory.dmp

memory/3952-187-0x00000000070E0000-0x0000000007183000-memory.dmp

memory/3692-176-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3952-188-0x0000000007450000-0x0000000007461000-memory.dmp

memory/3952-189-0x0000000005C50000-0x0000000005C64000-memory.dmp

memory/2172-200-0x00000000058A0000-0x0000000005BF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e3f071ca839d34c586a4f76ed7bdf163
SHA1 97f94ae0eb927ef0b85feb5f601eb57197dc9caf
SHA256 0a9c9fbf452b71bd83a6c3a5076bcde2e7a6da9a9a83ff7e36302be11586ed0b
SHA512 cdd9a8971d028b3130c6180b91404bd449139d5d2cbd4bf0f7f8e6a858dbf2eb11891a4c261de6e3c3e6656e2a8409ea89a9322e956960dc710c6cce33f82bd9

memory/2172-203-0x0000000070D80000-0x00000000710D4000-memory.dmp

memory/2172-202-0x00000000707A0000-0x00000000707EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3692-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2740-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/404-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2740-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3692-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/404-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3692-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3692-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/404-243-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3692-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3692-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3692-253-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3692-257-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3692-261-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3692-265-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 15:36

Reported

2024-05-15 15:39

Platform

win11-20240419-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 3372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4824 wrote to memory of 3372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1204 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\rss\csrss.exe
PID 1204 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\rss\csrss.exe
PID 1204 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe C:\Windows\rss\csrss.exe
PID 492 wrote to memory of 3588 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 492 wrote to memory of 3588 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 492 wrote to memory of 3588 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 492 wrote to memory of 2420 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 492 wrote to memory of 2420 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 492 wrote to memory of 2420 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 492 wrote to memory of 4444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 492 wrote to memory of 4444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 492 wrote to memory of 4444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 492 wrote to memory of 1508 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 492 wrote to memory of 1508 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1700 wrote to memory of 1060 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 1060 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 1060 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1060 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1060 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe

"C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe

"C:\Users\Admin\AppData\Local\Temp\360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ed428ab6-f2f6-4e33-9ff4-de6b48c6bc98.uuid.statstraffic.org udp
US 8.8.8.8:53 server15.statstraffic.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.104:443 server15.statstraffic.org tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.104:443 server15.statstraffic.org tcp
BG 185.82.216.104:443 server15.statstraffic.org tcp

Files

memory/2568-1-0x00000000049A0000-0x0000000004D9F000-memory.dmp

memory/2568-2-0x0000000004DA0000-0x000000000568B000-memory.dmp

memory/2568-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3144-4-0x00000000746DE000-0x00000000746DF000-memory.dmp

memory/3144-5-0x0000000002FB0000-0x0000000002FE6000-memory.dmp

memory/3144-6-0x00000000056C0000-0x0000000005CEA000-memory.dmp

memory/3144-7-0x00000000746D0000-0x0000000074E81000-memory.dmp

memory/3144-8-0x00000000055E0000-0x0000000005602000-memory.dmp

memory/3144-10-0x0000000005E50000-0x0000000005EB6000-memory.dmp

memory/3144-9-0x0000000005CF0000-0x0000000005D56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ysqdvnf0.cfq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3144-19-0x0000000005FC0000-0x0000000006317000-memory.dmp

memory/3144-20-0x00000000746D0000-0x0000000074E81000-memory.dmp

memory/3144-22-0x0000000006480000-0x000000000649E000-memory.dmp

memory/3144-23-0x00000000064B0000-0x00000000064FC000-memory.dmp

memory/2568-21-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3144-24-0x0000000007450000-0x0000000007496000-memory.dmp

memory/3144-26-0x0000000070940000-0x000000007098C000-memory.dmp

memory/3144-25-0x00000000078A0000-0x00000000078D4000-memory.dmp

memory/3144-28-0x0000000070AC0000-0x0000000070E17000-memory.dmp

memory/3144-27-0x00000000746D0000-0x0000000074E81000-memory.dmp

memory/3144-37-0x00000000078E0000-0x00000000078FE000-memory.dmp

memory/3144-38-0x0000000007900000-0x00000000079A4000-memory.dmp

memory/3144-39-0x00000000746D0000-0x0000000074E81000-memory.dmp

memory/3144-40-0x0000000008070000-0x00000000086EA000-memory.dmp

memory/3144-41-0x0000000007A30000-0x0000000007A4A000-memory.dmp

memory/3144-42-0x0000000007A70000-0x0000000007A7A000-memory.dmp

memory/3144-43-0x0000000007B80000-0x0000000007C16000-memory.dmp

memory/3144-44-0x0000000007A90000-0x0000000007AA1000-memory.dmp

memory/3144-45-0x0000000007AE0000-0x0000000007AEE000-memory.dmp

memory/3144-46-0x0000000007AF0000-0x0000000007B05000-memory.dmp

memory/3144-47-0x0000000007B40000-0x0000000007B5A000-memory.dmp

memory/3144-48-0x0000000007B60000-0x0000000007B68000-memory.dmp

memory/3144-51-0x00000000746D0000-0x0000000074E81000-memory.dmp

memory/2568-54-0x00000000049A0000-0x0000000004D9F000-memory.dmp

memory/2568-55-0x0000000004DA0000-0x000000000568B000-memory.dmp

memory/2568-53-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3596-64-0x0000000006160000-0x00000000064B7000-memory.dmp

memory/3596-65-0x0000000070940000-0x000000007098C000-memory.dmp

memory/3596-66-0x0000000070B90000-0x0000000070EE7000-memory.dmp

memory/3596-75-0x0000000007880000-0x0000000007924000-memory.dmp

memory/3596-76-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

memory/2568-78-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1204-77-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3596-79-0x0000000007C00000-0x0000000007C15000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9da3b17eb661cc00d27c203fdec7b2cd
SHA1 b46c89650476e8da5d0dd4099ea04b1ad22d1cf5
SHA256 c182af4087de1671391d3cd64027ee56f28b6d2bac873bd9975ee5e99d89ad00
SHA512 33ca79955e6c6da60c6dafeac7b5bf8a921702d0123521670408ce1141d9c52d42fec08cff4746d59152b86e3418dfaee65920ed9d6e1396fe507e6642612678

memory/3496-92-0x0000000070940000-0x000000007098C000-memory.dmp

memory/3496-93-0x0000000070B90000-0x0000000070EE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f2c19e990376857b4d4a6aed7175e800
SHA1 20c0c8cdebbcbbeec8d5fdaf229c4b2549f1b916
SHA256 e0c255d53a3f7e2094a3925d331003b7594a2ab8a804421f3428753de0446817
SHA512 c0295394738ee9bc26b57512cf607a8866e0843b7b8d0f9d7f56bbd0cae79499b61fc0316d6b7477db586d9853fb8b370aa46c90247005420a38dea161f93458

memory/3956-112-0x0000000070940000-0x000000007098C000-memory.dmp

memory/3956-113-0x0000000070B90000-0x0000000070EE7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 8f2a3ef9906bc1028bde37950781d462
SHA1 8ea46de0941966fe1194c0c9ccdb5de7dfde12b4
SHA256 360da9ad616c76458e331f2bf6addfac3e511a670798319dde49fd217e192b67
SHA512 3587532c1fc46e7cab60379044d9d7218534b233d031d68755ddfc25ba76b36d0d5a96c79698936dba35e56ce807357d84321d1868faf5ce5de5a8de971707c1

memory/1204-127-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3588-139-0x00000000055A0000-0x00000000058F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b1ef5f417332753ed747fecc6c3518fe
SHA1 33b1fdf29d539f5724b0508540bbfc2697cc5843
SHA256 90fcf0b2c6d1d4d3961bfd37cf30314eaa4453f956aff7d3257869b10eef826d
SHA512 0fa77e84f54e671bd408dd7149fe3dc42dc01ff36e102bf513a1a2cf403060cab5e7d5d99edff4d682c2a59666d058f2657eacea6216928f80304c789ba077c9

memory/492-141-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3588-142-0x0000000070940000-0x000000007098C000-memory.dmp

memory/3588-143-0x0000000070AE0000-0x0000000070E37000-memory.dmp

memory/2420-153-0x0000000005970000-0x0000000005CC7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c6d8c3de81884a3e3a95a6bf4839d950
SHA1 147371bbb26e88fd8478b0510b9876e624d73ddd
SHA256 17c8c1af88e7fdf7aa82c7c58c542928927969d1e7a847f7e88463a777397b8b
SHA512 003834fe693e0d7057892c4c1ad28c02a2b25c03c6f7b4995c17ab998b9b00d486802c5e16fd623fd911a423683620ddfca61e99eac29013789a6a2dd2681843

memory/2420-163-0x00000000062B0000-0x00000000062FC000-memory.dmp

memory/2420-164-0x0000000070860000-0x00000000708AC000-memory.dmp

memory/2420-165-0x0000000070AB0000-0x0000000070E07000-memory.dmp

memory/2420-174-0x00000000071D0000-0x0000000007274000-memory.dmp

memory/2420-175-0x00000000074F0000-0x0000000007501000-memory.dmp

memory/2420-176-0x0000000005D50000-0x0000000005D65000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d051a8c42a31e29d6148df0b257f02a8
SHA1 59b64fdd3c25d9953fcccb33eec66eb27be5f042
SHA256 82f698bfee74dfde0e35055beb1ca6b0136fb8182dabd6ec68e5bf1f020f7b55
SHA512 efb2e7d4d0153e1e3eb31e4bff3a0e020f4ee0833a59b9a4a6cceeae0aa42bf130d64af056269b0681658721cb9cdf023ee019fa3ddd3eb4c7bdb4bfc17d210e

memory/4444-188-0x0000000070860000-0x00000000708AC000-memory.dmp

memory/4444-189-0x0000000070AB0000-0x0000000070E07000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/492-204-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1700-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3776-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1700-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/492-215-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3776-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/492-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/492-220-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3776-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/492-224-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/492-227-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/492-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/492-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/492-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/492-239-0x0000000000400000-0x0000000002B0B000-memory.dmp