Malware Analysis Report

2025-01-02 06:43

Sample ID 240515-x3cmfagb35
Target 6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63
SHA256 6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63

Threat Level: Known bad

The file 6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 19:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 19:22

Reported

2024-05-15 19:24

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4968 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\system32\cmd.exe
PID 3368 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\system32\cmd.exe
PID 4460 wrote to memory of 3520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4460 wrote to memory of 3520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3368 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3368 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\rss\csrss.exe
PID 3368 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\rss\csrss.exe
PID 3368 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\rss\csrss.exe
PID 1532 wrote to memory of 1808 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1532 wrote to memory of 1808 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1532 wrote to memory of 1808 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1532 wrote to memory of 2924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1532 wrote to memory of 2924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1532 wrote to memory of 2924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1532 wrote to memory of 4236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1532 wrote to memory of 4236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1532 wrote to memory of 4236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1532 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1532 wrote to memory of 3632 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2296 wrote to memory of 2652 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2652 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2652 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2652 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2652 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe

"C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe

"C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0869c9f3-5361-4760-924e-a6e453fe1a58.uuid.myfastupdate.org udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server2.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.111:443 server2.myfastupdate.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BG 185.82.216.111:443 server2.myfastupdate.org tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BG 185.82.216.111:443 server2.myfastupdate.org tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BE 2.17.196.105:443 www.bing.com tcp
US 8.8.8.8:53 105.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/4968-1-0x0000000004960000-0x0000000004D63000-memory.dmp

memory/4968-2-0x0000000004D70000-0x000000000565B000-memory.dmp

memory/4968-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3140-4-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

memory/3140-5-0x00000000027F0000-0x0000000002826000-memory.dmp

memory/3140-6-0x00000000052B0000-0x00000000058D8000-memory.dmp

memory/3140-7-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3140-8-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3140-9-0x0000000005140000-0x0000000005162000-memory.dmp

memory/3140-11-0x0000000005AB0000-0x0000000005B16000-memory.dmp

memory/3140-10-0x0000000005990000-0x00000000059F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hzewmb2b.pb4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3140-19-0x0000000005B20000-0x0000000005E74000-memory.dmp

memory/3140-22-0x0000000006140000-0x000000000615E000-memory.dmp

memory/3140-23-0x00000000061C0000-0x000000000620C000-memory.dmp

memory/3140-24-0x00000000066A0000-0x00000000066E4000-memory.dmp

memory/3140-25-0x0000000007450000-0x00000000074C6000-memory.dmp

memory/3140-26-0x0000000007B50000-0x00000000081CA000-memory.dmp

memory/3140-27-0x00000000074F0000-0x000000000750A000-memory.dmp

memory/4968-28-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3140-29-0x00000000076A0000-0x00000000076D2000-memory.dmp

memory/3140-31-0x0000000070A90000-0x0000000070ADC000-memory.dmp

memory/3140-30-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3140-42-0x00000000076E0000-0x00000000076FE000-memory.dmp

memory/3140-32-0x0000000071230000-0x0000000071584000-memory.dmp

memory/3140-44-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/3140-43-0x0000000007700000-0x00000000077A3000-memory.dmp

memory/3140-45-0x00000000077F0000-0x00000000077FA000-memory.dmp

memory/3140-46-0x00000000078B0000-0x0000000007946000-memory.dmp

memory/3140-47-0x0000000007810000-0x0000000007821000-memory.dmp

memory/3140-48-0x0000000007850000-0x000000000785E000-memory.dmp

memory/3140-49-0x0000000007860000-0x0000000007874000-memory.dmp

memory/3140-50-0x0000000007950000-0x000000000796A000-memory.dmp

memory/3140-51-0x0000000007890000-0x0000000007898000-memory.dmp

memory/3140-54-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/4968-56-0x0000000004960000-0x0000000004D63000-memory.dmp

memory/4968-57-0x0000000004D70000-0x000000000565B000-memory.dmp

memory/4968-58-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2392-65-0x00000000059E0000-0x0000000005D34000-memory.dmp

memory/4968-69-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2392-70-0x0000000070A90000-0x0000000070ADC000-memory.dmp

memory/2392-71-0x0000000071210000-0x0000000071564000-memory.dmp

memory/2392-81-0x0000000007270000-0x0000000007313000-memory.dmp

memory/2392-82-0x0000000007570000-0x0000000007581000-memory.dmp

memory/2392-83-0x00000000075C0000-0x00000000075D4000-memory.dmp

memory/3368-84-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 04d055c375b21af52223270ca4782f7a
SHA1 08aca622f643c66def9aff0f4941c52ea5cf922f
SHA256 4f3f5a72f94d1dd94cfa40bb96c14c588e07f5b85430d573bfb8cc5538412302
SHA512 5267260d27f2836a58533b705064371ea9ddf76c4dcc91cfc42da3de7a8174078bec78bcb640bcdddae124d780b6d0451fd1b4f3b36ef03610486c19f39db31d

memory/2600-98-0x0000000070A90000-0x0000000070ADC000-memory.dmp

memory/2600-99-0x0000000071210000-0x0000000071564000-memory.dmp

memory/4020-119-0x00000000057C0000-0x0000000005B14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 695845386b1ba26526aaec5fbd208856
SHA1 eaadf5118f0b06b37db8ae09466fc449771450e1
SHA256 e24c0b9f843f1a939fd8188206aa123e0bcecf843c8b92e1707b63571111a731
SHA512 a2c84ab77cdac6c8b1e7b8e7d508d3f8a85bc387a0427d0f7f92c37e7e75eafcd3cc5c294d17a4f66f0a62030d1c4d79a459a59dafd2c9bca2d2770594a06a76

memory/4020-121-0x0000000070A90000-0x0000000070ADC000-memory.dmp

memory/4020-122-0x0000000070C10000-0x0000000070F64000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 32eb8f96c3f48c68b4765a48815cf19c
SHA1 bc4082e5bf5f6acbbdb0fc27efae52157924ef1a
SHA256 6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63
SHA512 19cc5cfbccfe91a3e85495b639c8cf4fa57897f29ea58bca8a1b71bcbe4149343e201f24a3c3ae704dcd79809b9970b0da94fd4ecb5067ec04919472c18a0801

memory/3368-136-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 028f52d6e5032ef965323131fef99104
SHA1 3a948a0b3c564bcdd57302e9e198393aa2d5baa0
SHA256 dd08e34f8a1543c306ff9bc9e641698d30b3d40997c08ccca28f95d2140410ec
SHA512 e58e4f702e1e06e9ec0db64fa99264e785c67f00f327eec5a33ea9031f180afeadf5d04d4b8c8fd7924129bc30fcf10f5860b58b950115bffaf92f1e060c8264

memory/1808-150-0x0000000070A90000-0x0000000070ADC000-memory.dmp

memory/1808-151-0x0000000071210000-0x0000000071564000-memory.dmp

memory/1532-162-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2924-164-0x0000000005690000-0x00000000059E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c4d04455ba8688e47fe0c28fc64535ca
SHA1 104daa90eb8f6357a99537db4d83b18fe65f727b
SHA256 bb24547520b1797844548a8addd7938a004fed5eee61ef9f3331cf5ad48ae18f
SHA512 f6235cf524f0ebd8d1d6809a9e077c0c10297ca46bfe23ef70118fe73e665fba0b1b92923d815b2002f8c3f66f562931bdda62b527600080792fb120c07756fa

memory/2924-175-0x0000000005E30000-0x0000000005E7C000-memory.dmp

memory/2924-176-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/2924-177-0x0000000071140000-0x0000000071494000-memory.dmp

memory/2924-187-0x0000000006D10000-0x0000000006DB3000-memory.dmp

memory/2924-188-0x0000000007000000-0x0000000007011000-memory.dmp

memory/2924-189-0x0000000004F10000-0x0000000004F24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 88763644d5fe63c1568167c772da5b07
SHA1 31b309f5622205cd35f08c98878275735be21001
SHA256 08132779fbbfddbfe863f972b9792f95083fe672020b52960d4043664ebd7981
SHA512 3b2f80eac889da5ac21a965cfd1631d098f11eba5367ea443363b431c35009d1cfc3db643a084acf693dd216918c8fb7458f4c32d09830e7578d6bf27635a6be

memory/4236-201-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/4236-202-0x0000000071140000-0x0000000071494000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1532-219-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2296-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2820-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2296-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1532-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2820-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1532-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1532-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2820-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1532-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1532-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1532-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1532-248-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1532-251-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1532-254-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 19:22

Reported

2024-05-15 19:25

Platform

win11-20240508-en

Max time kernel

150s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1628 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1628 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\system32\cmd.exe
PID 4028 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\system32\cmd.exe
PID 956 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 956 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4028 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\rss\csrss.exe
PID 4028 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\rss\csrss.exe
PID 4028 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe C:\Windows\rss\csrss.exe
PID 4212 wrote to memory of 232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 1856 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 1856 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 1856 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 2456 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 2456 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 2456 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 2476 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4212 wrote to memory of 2476 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1528 wrote to memory of 1536 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 1536 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 1536 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1536 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1536 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe

"C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe

"C:\Users\Admin\AppData\Local\Temp\6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 175fd5b4-5381-4824-b054-d797e6cf8014.uuid.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server15.myfastupdate.org udp
US 74.125.250.129:19302 stun4.l.google.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server15.myfastupdate.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 52.111.229.19:443 tcp
BG 185.82.216.111:443 server15.myfastupdate.org tcp
BG 185.82.216.111:443 server15.myfastupdate.org tcp

Files

memory/1628-1-0x0000000004900000-0x0000000004D07000-memory.dmp

memory/1628-2-0x0000000004D10000-0x00000000055FB000-memory.dmp

memory/1628-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1948-4-0x000000007417E000-0x000000007417F000-memory.dmp

memory/1948-5-0x0000000004F80000-0x0000000004FB6000-memory.dmp

memory/1948-6-0x0000000074170000-0x0000000074921000-memory.dmp

memory/1948-7-0x00000000056B0000-0x0000000005CDA000-memory.dmp

memory/1948-8-0x0000000074170000-0x0000000074921000-memory.dmp

memory/1948-9-0x00000000055B0000-0x00000000055D2000-memory.dmp

memory/1948-12-0x0000000005D50000-0x0000000005DB6000-memory.dmp

memory/1948-11-0x0000000005CE0000-0x0000000005D46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q3kf2t34.rfr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1948-21-0x0000000005F20000-0x0000000006277000-memory.dmp

memory/1628-10-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1948-22-0x0000000006450000-0x000000000646E000-memory.dmp

memory/1948-23-0x0000000006480000-0x00000000064CC000-memory.dmp

memory/1948-24-0x00000000069A0000-0x00000000069E6000-memory.dmp

memory/1948-26-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/1948-25-0x0000000007850000-0x0000000007884000-memory.dmp

memory/1948-28-0x0000000074170000-0x0000000074921000-memory.dmp

memory/1948-38-0x00000000078D0000-0x0000000007974000-memory.dmp

memory/1948-37-0x00000000078B0000-0x00000000078CE000-memory.dmp

memory/1948-27-0x0000000070630000-0x0000000070987000-memory.dmp

memory/1948-39-0x0000000074170000-0x0000000074921000-memory.dmp

memory/1948-40-0x0000000008040000-0x00000000086BA000-memory.dmp

memory/1948-41-0x0000000007A00000-0x0000000007A1A000-memory.dmp

memory/1948-42-0x0000000007A40000-0x0000000007A4A000-memory.dmp

memory/1948-43-0x0000000007B50000-0x0000000007BE6000-memory.dmp

memory/1948-44-0x0000000007A60000-0x0000000007A71000-memory.dmp

memory/1948-45-0x0000000007AB0000-0x0000000007ABE000-memory.dmp

memory/1948-46-0x0000000007AC0000-0x0000000007AD5000-memory.dmp

memory/1948-47-0x0000000007B10000-0x0000000007B2A000-memory.dmp

memory/1948-48-0x0000000007B30000-0x0000000007B38000-memory.dmp

memory/1948-51-0x0000000074170000-0x0000000074921000-memory.dmp

memory/1628-54-0x0000000004900000-0x0000000004D07000-memory.dmp

memory/1628-55-0x0000000004D10000-0x00000000055FB000-memory.dmp

memory/1628-53-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1628-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4028-65-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4708-66-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/4708-67-0x0000000070630000-0x0000000070987000-memory.dmp

memory/4708-76-0x00000000079E0000-0x0000000007A84000-memory.dmp

memory/4708-77-0x0000000007CE0000-0x0000000007CF1000-memory.dmp

memory/4708-78-0x0000000007D30000-0x0000000007D45000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/5048-91-0x00000000056F0000-0x0000000005A47000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d0470c0b8e592641b72c5f7903b7ab27
SHA1 db370a75be71e9db33c8371045d2ad9884643057
SHA256 c4ee4e3d26c6503067051617cff558be3489cd8d1419420959500b268609a075
SHA512 a9754f3e66559c0d86268ba9a9886a2d45d0fb1f565ca112c1f4f3fb201f7296cf86b95e33007bd18820393901af80e3949c366c6afd8073eeda1548e6282212

memory/5048-93-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/5048-94-0x0000000070560000-0x00000000708B7000-memory.dmp

memory/2140-112-0x0000000005ED0000-0x0000000006227000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bf00446c617e9d3cfecfbdfdbc428327
SHA1 a0d76e0934d9e33031ca7638e6f83f03e7b4219e
SHA256 62297682b304f2b1d11c64ba77f155bb7d9dd68a5f79ec25dc198f90844f5fad
SHA512 0c4e0d8f9d44a34e1231889b2f9570edce88bae8abcc092ccd45c263236daf3c475d775337ffe05f1473511c6c2d34af5b6a15884bb89b1c1d6a542eafbda245

memory/2140-115-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/2140-116-0x0000000070580000-0x00000000708D7000-memory.dmp

memory/4028-114-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 32eb8f96c3f48c68b4765a48815cf19c
SHA1 bc4082e5bf5f6acbbdb0fc27efae52157924ef1a
SHA256 6e31c9f7cc2950b9746c28d0439d5b11438c5f31f5c0b51988cd2ae2e43bab63
SHA512 19cc5cfbccfe91a3e85495b639c8cf4fa57897f29ea58bca8a1b71bcbe4149343e201f24a3c3ae704dcd79809b9970b0da94fd4ecb5067ec04919472c18a0801

memory/4028-129-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/232-142-0x00000000062E0000-0x0000000006637000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 65142a3f3e55b580fdb4971515fe2ac9
SHA1 0f65275f995abeacfa1669c101fbb6c6b2d29e2d
SHA256 82500b2641148648c4605fbb1394f7c5be9a023d0e93ae26f0691c6b4df8cde4
SHA512 2404cff04ceda4a3bae66eacec955b0f57a9cb66ecfe1a767bc300d294e51107a626d90b348079c78c2b1eaaf2ff4f03755df62b34432a56b0a42bb9c7c7c4ad

memory/232-144-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/232-145-0x0000000070650000-0x00000000709A7000-memory.dmp

memory/1856-155-0x00000000063C0000-0x0000000006717000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 71cff5ae086957c339ca20140615991e
SHA1 4e039345837d99a8b66bb99dd8193cf6253bc428
SHA256 0eb9cf7e55b5d0c4d397fbb178a2a5893ebc7bbe2ed1eb58aef0d383601ab0db
SHA512 32846e2786d0a0327192c514c3c9b90618f3569cbe5fbb561f4cf310a60d3eba6a7753ea957e46ce17f514f8ec56d1b3215fe4b74e2a5d9b976d530566866369

memory/1856-165-0x0000000006980000-0x00000000069CC000-memory.dmp

memory/1856-166-0x0000000070300000-0x000000007034C000-memory.dmp

memory/1856-167-0x0000000070550000-0x00000000708A7000-memory.dmp

memory/1856-176-0x0000000007BD0000-0x0000000007C74000-memory.dmp

memory/1856-177-0x0000000007EF0000-0x0000000007F01000-memory.dmp

memory/4212-179-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1856-180-0x0000000006750000-0x0000000006765000-memory.dmp

memory/2456-190-0x0000000005F10000-0x0000000006267000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4a7d1dec92d6f793f814b90efd1ac604
SHA1 31f42b951a628ffc5aaab4fc3e40dbefd508b886
SHA256 438de4a521a13f8b9e9713cb95beb213cc19d62f36fef7accfc3f1c5b5778229
SHA512 e626af38efe67182c33700b47800a6828704b3fea69c44658780a6c1a17c77c1703119d71f204589084569572abffadb4f119e52c8e8fd8e406f83f0c61072ae

memory/2456-192-0x0000000070300000-0x000000007034C000-memory.dmp

memory/2456-193-0x0000000070480000-0x00000000707D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4212-209-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1528-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4844-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1528-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4212-220-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4844-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4212-223-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4212-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4844-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4212-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4212-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4212-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4212-238-0x0000000000400000-0x0000000002B0B000-memory.dmp