Analysis Overview
SHA256
2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d
Threat Level: Known bad
The file 2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
Glupteba
Modifies Windows Firewall
UPX packed file
Drops file in System32 directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Command and Scripting Interpreter: PowerShell
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-15 18:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-15 18:07
Reported
2024-05-15 18:10
Platform
win10v2004-20240426-en
Max time kernel
9s
Max time network
152s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe
"C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe
"C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98868351-12a7-4565-8daf-a7005decf832.uuid.statscreate.org | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | server4.statscreate.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.96:443 | server4.statscreate.org | tcp |
| US | 74.125.250.129:19302 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 129.250.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.221.67.172.in-addr.arpa | udp |
| BG | 185.82.216.96:443 | server4.statscreate.org | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| BG | 185.82.216.96:443 | server4.statscreate.org | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| BG | 185.82.216.96:443 | server4.statscreate.org | tcp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
memory/4444-1-0x0000000004880000-0x0000000004C81000-memory.dmp
memory/4444-2-0x0000000004C90000-0x000000000557B000-memory.dmp
memory/4444-3-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2980-4-0x0000000074F9E000-0x0000000074F9F000-memory.dmp
memory/2980-5-0x00000000052C0000-0x00000000052F6000-memory.dmp
memory/2980-6-0x0000000005930000-0x0000000005F58000-memory.dmp
memory/2980-7-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/2980-8-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/2980-9-0x00000000058F0000-0x0000000005912000-memory.dmp
memory/2980-10-0x00000000061D0000-0x0000000006236000-memory.dmp
memory/2980-11-0x0000000006240000-0x00000000062A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ax1pwvts.jor.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2980-21-0x00000000063B0000-0x0000000006704000-memory.dmp
memory/2980-23-0x00000000068D0000-0x000000000691C000-memory.dmp
memory/2980-22-0x0000000006890000-0x00000000068AE000-memory.dmp
memory/2980-24-0x00000000079A0000-0x00000000079E4000-memory.dmp
memory/2980-25-0x0000000007B40000-0x0000000007BB6000-memory.dmp
memory/2980-26-0x00000000082A0000-0x000000000891A000-memory.dmp
memory/2980-27-0x0000000007C50000-0x0000000007C6A000-memory.dmp
memory/2980-30-0x0000000070E30000-0x0000000070E7C000-memory.dmp
memory/2980-31-0x0000000070FB0000-0x0000000071304000-memory.dmp
memory/2980-29-0x0000000007E10000-0x0000000007E42000-memory.dmp
memory/2980-41-0x0000000007E50000-0x0000000007E6E000-memory.dmp
memory/2980-42-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/4444-28-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/2980-43-0x0000000007E70000-0x0000000007F13000-memory.dmp
memory/2980-44-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/2980-45-0x0000000007F60000-0x0000000007F6A000-memory.dmp
memory/2980-46-0x0000000008070000-0x0000000008106000-memory.dmp
memory/2980-47-0x0000000007F70000-0x0000000007F81000-memory.dmp
memory/2980-49-0x0000000007FD0000-0x0000000007FE4000-memory.dmp
memory/2980-50-0x0000000008020000-0x000000000803A000-memory.dmp
memory/2980-51-0x0000000008010000-0x0000000008018000-memory.dmp
memory/2980-48-0x0000000007FB0000-0x0000000007FBE000-memory.dmp
memory/2980-54-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/4444-56-0x0000000004880000-0x0000000004C81000-memory.dmp
memory/4444-57-0x0000000004C90000-0x000000000557B000-memory.dmp
memory/688-63-0x0000000005660000-0x00000000059B4000-memory.dmp
memory/688-68-0x0000000070E30000-0x0000000070E7C000-memory.dmp
memory/688-69-0x00000000715B0000-0x0000000071904000-memory.dmp
memory/688-79-0x0000000006EC0000-0x0000000006F63000-memory.dmp
memory/688-80-0x0000000007200000-0x0000000007211000-memory.dmp
memory/688-82-0x0000000007250000-0x0000000007264000-memory.dmp
memory/4444-81-0x0000000000400000-0x0000000002B0B000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2d7a6fde2bfb46a624940b7dc86dd404 |
| SHA1 | 4f99b548807fabd44627473a9af4adadecbe5f91 |
| SHA256 | 1d5368c2eb5f64eabbd84481476ef440518deb13f191c85b6526fd88c0efd6d8 |
| SHA512 | 60f8c4431da1b7becd467574411d0e80dd09c91cc05f4a2d8f685c436c56957602987644ec4a7a931e564a7a74963ef9192d6da0d6b95c8d0724195bb08092f5 |
memory/4508-96-0x0000000070E30000-0x0000000070E7C000-memory.dmp
memory/4508-97-0x00000000715B0000-0x0000000071904000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 17f63cc66a9bd14333e3367a51aa72b5 |
| SHA1 | 3bfc00d6d11e89e2679f3bfc87d08ce05695a6bd |
| SHA256 | bb082ddf846d8b8fdaa7aa425613a0130e33c699cba86acd151fcccac14087db |
| SHA512 | fe9bc639429f7a0882c1f7700b48c1c390c03deb8d57229e9ee356d75e6f7bf273f98b5caebceb5cc23f9a83f3b7635d7c4b721f2841edb400b97cb984cf1ecc |
memory/4368-117-0x00000000057A0000-0x0000000005AF4000-memory.dmp
memory/4444-120-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1512-119-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/4368-122-0x0000000070FD0000-0x0000000071324000-memory.dmp
memory/4368-121-0x0000000070E30000-0x0000000070E7C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 2857e50137503a7117efc900610030d7 |
| SHA1 | 417cf8908a83aedb95c5c2638772c2d7ce3f9f57 |
| SHA256 | 2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d |
| SHA512 | 1098f7d417d0a429de4e9b31d4845efecca48826d6713954daf79473c9652ae058111e3bab2b47f13bfeca0678b0c8944f117ed110650c7300e03305bf8fb344 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6dec6375f8dd1e01f5e58726cf0ec62d |
| SHA1 | 8b4981b33272db5579c5aaedbc471843741799e4 |
| SHA256 | 2c6b2dab6fe2d83ce08e0a0eaf0c2b7034cc615c4b4246f716963f21dd745469 |
| SHA512 | 4a6d5a461b05fe80fc96767ef230d8b4b478f42ea1fa28061fac4fcde1eb7f9f4196d192c36a025c0ed48936ff373c99a23bf17faf8baf969d51f3c1281e67b0 |
memory/1296-150-0x00000000715B0000-0x0000000071904000-memory.dmp
memory/1296-149-0x0000000070E30000-0x0000000070E7C000-memory.dmp
memory/1512-161-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/3544-171-0x0000000005D50000-0x00000000060A4000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 011599457f16b2dd482e0da03b0317f3 |
| SHA1 | 380411443762697424d430a4acd724a3257f27ca |
| SHA256 | 5efe524ca09fbaf58e9d1013d92c3f05c648acc7de5fa2fa6270bd741d8839c0 |
| SHA512 | 5af7bfdd5ecb373c11d550026f4c400e378b03fe41afe250f996c331538e5b20f2a6323558e303dc2ec73237f2896e6cfeb0c00a0b8887e36160ea2d71bbdcb7 |
memory/3544-173-0x00000000062F0000-0x000000000633C000-memory.dmp
memory/3544-174-0x0000000070D50000-0x0000000070D9C000-memory.dmp
memory/3544-185-0x0000000007520000-0x00000000075C3000-memory.dmp
memory/3544-175-0x0000000070ED0000-0x0000000071224000-memory.dmp
memory/3544-186-0x00000000076D0000-0x00000000076E1000-memory.dmp
memory/3544-187-0x00000000060D0000-0x00000000060E4000-memory.dmp
memory/1596-198-0x0000000005AB0000-0x0000000005E04000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 549b865478e0c9cc15f8721b807e53a7 |
| SHA1 | 2d8db1bbbb94eb48b4a5b74e87989c880af96374 |
| SHA256 | 79f66e08713dde6d8dcf5ccfa7f2667d67e6bed68c2488921bd59cb5ae3b11ba |
| SHA512 | 91969070793a2cea878fc7ef0beeb25751aac2de28367cba22181eebdbbadae1c1dbe0b8823bcf898a2e912bdc77693febfaae4825a726e0fcdc48c1eeadd55a |
memory/1596-201-0x00000000714E0000-0x0000000071834000-memory.dmp
memory/1596-200-0x0000000070D50000-0x0000000070D9C000-memory.dmp
memory/972-211-0x0000000000400000-0x0000000002B0B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/3332-225-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/972-224-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/3332-228-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/736-227-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/972-231-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/736-232-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/972-235-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/972-239-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/736-240-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/972-243-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/972-247-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/972-251-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/972-255-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/972-259-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/972-263-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/972-267-0x0000000000400000-0x0000000002B0B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-15 18:07
Reported
2024-05-15 18:10
Platform
win11-20240426-en
Max time kernel
20s
Max time network
147s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe
"C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe
"C:\Users\Admin\AppData\Local\Temp\2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ddd64dcc-9165-4dc6-9154-724f36a9a147.uuid.statscreate.org | udp |
| US | 8.8.8.8:53 | server2.statscreate.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| BG | 185.82.216.96:443 | server2.statscreate.org | tcp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| BG | 185.82.216.96:443 | server2.statscreate.org | tcp |
| NL | 52.111.243.31:443 | tcp | |
| BG | 185.82.216.96:443 | server2.statscreate.org | tcp |
| BG | 185.82.216.96:443 | server2.statscreate.org | tcp |
Files
memory/4408-1-0x0000000004900000-0x0000000004D01000-memory.dmp
memory/4408-2-0x0000000004D10000-0x00000000055FB000-memory.dmp
memory/4408-3-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2860-4-0x00000000740DE000-0x00000000740DF000-memory.dmp
memory/2860-5-0x0000000003460000-0x0000000003496000-memory.dmp
memory/2860-7-0x00000000740D0000-0x0000000074881000-memory.dmp
memory/2860-8-0x00000000740D0000-0x0000000074881000-memory.dmp
memory/2860-9-0x0000000005AA0000-0x0000000005AC2000-memory.dmp
memory/2860-6-0x0000000005BA0000-0x00000000061CA000-memory.dmp
memory/2860-11-0x0000000006420000-0x0000000006486000-memory.dmp
memory/2860-20-0x0000000006490000-0x00000000067E7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yqkbx4mr.fu2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2860-10-0x0000000006340000-0x00000000063A6000-memory.dmp
memory/2860-21-0x0000000006930000-0x000000000694E000-memory.dmp
memory/2860-22-0x0000000006A80000-0x0000000006ACC000-memory.dmp
memory/2860-23-0x0000000006EF0000-0x0000000006F36000-memory.dmp
memory/2860-25-0x0000000070340000-0x000000007038C000-memory.dmp
memory/2860-35-0x0000000007DA0000-0x0000000007DBE000-memory.dmp
memory/2860-36-0x0000000007DC0000-0x0000000007E64000-memory.dmp
memory/2860-37-0x00000000740D0000-0x0000000074881000-memory.dmp
memory/2860-38-0x00000000740D0000-0x0000000074881000-memory.dmp
memory/2860-26-0x00000000704C0000-0x0000000070817000-memory.dmp
memory/2860-40-0x0000000007EF0000-0x0000000007F0A000-memory.dmp
memory/2860-39-0x0000000008530000-0x0000000008BAA000-memory.dmp
memory/2860-24-0x0000000007D40000-0x0000000007D74000-memory.dmp
memory/2860-41-0x0000000007F30000-0x0000000007F3A000-memory.dmp
memory/2860-42-0x0000000008040000-0x00000000080D6000-memory.dmp
memory/2860-43-0x0000000007F50000-0x0000000007F61000-memory.dmp
memory/2860-44-0x0000000007FA0000-0x0000000007FAE000-memory.dmp
memory/2860-46-0x0000000008000000-0x000000000801A000-memory.dmp
memory/2860-45-0x0000000007FB0000-0x0000000007FC5000-memory.dmp
memory/2860-47-0x0000000008020000-0x0000000008028000-memory.dmp
memory/2860-50-0x00000000740D0000-0x0000000074881000-memory.dmp
memory/4408-52-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/4408-53-0x0000000004900000-0x0000000004D01000-memory.dmp
memory/4408-54-0x0000000004D10000-0x00000000055FB000-memory.dmp
memory/992-73-0x0000000006C50000-0x0000000006CF4000-memory.dmp
memory/992-64-0x00000000704C0000-0x0000000070817000-memory.dmp
memory/992-63-0x0000000070340000-0x000000007038C000-memory.dmp
memory/992-74-0x0000000006F70000-0x0000000006F81000-memory.dmp
memory/992-75-0x0000000006FC0000-0x0000000006FD5000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | ac4917a885cf6050b1a483e4bc4d2ea5 |
| SHA1 | b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f |
| SHA256 | e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9 |
| SHA512 | 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7cfacc244a537dbd2711b97bfa5d2679 |
| SHA1 | 1004fa6f642aca3eba91b47f0cc5feee0b211dc1 |
| SHA256 | 45dc6303ab4fb74ac1f10f88359f0a80bd6586ea48919b235a50c26336f6dd66 |
| SHA512 | 666cec86bc6ef6aa6c8315861089fe1026488a3e50ad69356b0e04950083f6a565c573b7953d3009af7a6038ec35204b1af484b31fa8bc271029dfebfaac46e3 |
memory/1652-87-0x0000000005980000-0x0000000005CD7000-memory.dmp
memory/1652-89-0x0000000070340000-0x000000007038C000-memory.dmp
memory/1652-90-0x00000000704E0000-0x0000000070837000-memory.dmp
memory/2416-100-0x0000000005850000-0x0000000005BA7000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 025e73695cd04813d9f8376ade986558 |
| SHA1 | 887b8578b43b7610e009f3793c0a71bbdaae8861 |
| SHA256 | 951f8fa9b8d6db0466c213d0330c9ccab91cd3c7ecf14f0fd3934dcf233447b4 |
| SHA512 | ba98f6e8fecc61dd9a57193185cdb88d17e7e95b077112dd3b28cbe736b7fdb180b7a8fa33e843f52c55febacc2888bd01cb134b93d24fbda9dc3b78e928dd0a |
memory/4408-112-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/776-111-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/2416-114-0x00000000705B0000-0x0000000070907000-memory.dmp
memory/2416-113-0x0000000070340000-0x000000007038C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 2857e50137503a7117efc900610030d7 |
| SHA1 | 417cf8908a83aedb95c5c2638772c2d7ce3f9f57 |
| SHA256 | 2fa264b5826d41d8c3e8d7dfc16b8e09b80eae097fd55b8ffb2e9dc85926037d |
| SHA512 | 1098f7d417d0a429de4e9b31d4845efecca48826d6713954daf79473c9652ae058111e3bab2b47f13bfeca0678b0c8944f117ed110650c7300e03305bf8fb344 |
memory/776-128-0x0000000000400000-0x0000000002B0B000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9a61ad6aa55bada6f425a24133481f56 |
| SHA1 | e8ac95791313be2148aa5037da1572ea77396ee0 |
| SHA256 | a69438d42f5ca981d2ced364d6bdd69cc75b52cd887c30d368ee1c7b8d7596f5 |
| SHA512 | d061423805c70df329f076cc8db98ad1eddbe7cccc44da3426a627d7cb62ee9d50ff834cf635d3f2fb7dcb8ec540189faa30f5635402b8eead2a46af539744f2 |
memory/3480-140-0x00000000704C0000-0x0000000070817000-memory.dmp
memory/3480-139-0x0000000070340000-0x000000007038C000-memory.dmp
memory/2180-151-0x0000000005B50000-0x0000000005EA7000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9e2d22937cb3d9d20144142c3d39d7d1 |
| SHA1 | 45c3b6d83c8251ab6ff8914cab3a5d425d676cd3 |
| SHA256 | 94a1329c20fd884a999bcf04caf0019face676dc8fcb92681b007cd4b846381e |
| SHA512 | 45e9ce848c7ae3c9fa4078ae5260289ff29810cf98ed422e4ed63a3dbd6f49216719024bd87a02daf28b113fb030208f39218a9f9b1c6f59450e6de1f792beb4 |
memory/2180-161-0x0000000006170000-0x00000000061BC000-memory.dmp
memory/2180-163-0x00000000704B0000-0x0000000070807000-memory.dmp
memory/2180-172-0x0000000007370000-0x0000000007414000-memory.dmp
memory/2180-162-0x0000000070260000-0x00000000702AC000-memory.dmp
memory/2180-173-0x00000000076D0000-0x00000000076E1000-memory.dmp
memory/2180-174-0x0000000005F20000-0x0000000005F35000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 924f19c32d65a289860110ce7f30ef6c |
| SHA1 | 57cc89e4ac060a8f0dca1039c856d52551901e4f |
| SHA256 | 3d38d7c2cf4c42a86ec9ddcbccc88eec32bad3660d3afee4880d2a623630cdc8 |
| SHA512 | 91ba09ce03423e24b7e0773f7af1d9a10d64fa3b64e4964f3f49552df574dedd06ca71cd11988b7e9b85f5e3f1bc3f2e0ed9fabdc06c636c975b312f5f0cb143 |
memory/4856-184-0x0000000005AE0000-0x0000000005E37000-memory.dmp
memory/4856-186-0x0000000070260000-0x00000000702AC000-memory.dmp
memory/4856-187-0x0000000070490000-0x00000000707E7000-memory.dmp
memory/3512-196-0x0000000000400000-0x0000000002B0B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/3512-204-0x0000000000400000-0x0000000002B0B000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/3432-211-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/3484-213-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/3484-209-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/3512-215-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/3432-216-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/3512-218-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/3512-221-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/3432-222-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/3512-224-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/3512-227-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/3512-230-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/3512-233-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/3512-236-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/3512-239-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/3512-242-0x0000000000400000-0x0000000002B0B000-memory.dmp