Malware Analysis Report

2024-12-08 02:05

Sample ID 240516-mc32lafh2z
Target 3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7
SHA256 3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7

Threat Level: Known bad

The file 3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 10:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 10:20

Reported

2024-05-16 10:22

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3716 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3716 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3716 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 844 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 844 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 844 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 844 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\system32\cmd.exe
PID 844 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\system32\cmd.exe
PID 640 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 640 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 844 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 844 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 844 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 844 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 844 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 844 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 844 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\rss\csrss.exe
PID 844 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\rss\csrss.exe
PID 844 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\rss\csrss.exe
PID 964 wrote to memory of 2320 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 964 wrote to memory of 2320 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 964 wrote to memory of 2320 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 964 wrote to memory of 112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 964 wrote to memory of 112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 964 wrote to memory of 112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 964 wrote to memory of 4604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 964 wrote to memory of 4604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 964 wrote to memory of 4604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 964 wrote to memory of 1352 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 964 wrote to memory of 1352 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2648 wrote to memory of 2112 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2112 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2112 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2112 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2112 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe

"C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe

"C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 569d538a-5162-43e5-9ad3-0e6d82aa10a3.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server1.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
US 8.8.8.8:53 205.201.50.20.in-addr.arpa udp

Files

memory/3716-1-0x0000000002920000-0x0000000002D27000-memory.dmp

memory/3716-2-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/3716-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4324-4-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

memory/4324-5-0x0000000004650000-0x0000000004686000-memory.dmp

memory/4324-6-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/4324-7-0x0000000004CC0000-0x00000000052E8000-memory.dmp

memory/4324-8-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/4324-9-0x0000000005470000-0x0000000005492000-memory.dmp

memory/4324-10-0x0000000005510000-0x0000000005576000-memory.dmp

memory/4324-11-0x0000000005580000-0x00000000055E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hidtvqwx.um0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4324-21-0x0000000005700000-0x0000000005A54000-memory.dmp

memory/4324-22-0x0000000005C30000-0x0000000005C4E000-memory.dmp

memory/4324-23-0x0000000005C50000-0x0000000005C9C000-memory.dmp

memory/4324-24-0x0000000006D10000-0x0000000006D54000-memory.dmp

memory/4324-25-0x0000000006F10000-0x0000000006F86000-memory.dmp

memory/4324-26-0x0000000007620000-0x0000000007C9A000-memory.dmp

memory/4324-27-0x0000000006FD0000-0x0000000006FEA000-memory.dmp

memory/4324-29-0x0000000070910000-0x000000007095C000-memory.dmp

memory/4324-28-0x0000000007190000-0x00000000071C2000-memory.dmp

memory/4324-30-0x0000000070A90000-0x0000000070DE4000-memory.dmp

memory/4324-42-0x00000000071F0000-0x0000000007293000-memory.dmp

memory/4324-41-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/4324-40-0x00000000071D0000-0x00000000071EE000-memory.dmp

memory/4324-43-0x00000000072E0000-0x00000000072EA000-memory.dmp

memory/4324-44-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/4324-46-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/4324-45-0x00000000073A0000-0x0000000007436000-memory.dmp

memory/4324-47-0x0000000007300000-0x0000000007311000-memory.dmp

memory/4324-48-0x0000000007340000-0x000000000734E000-memory.dmp

memory/4324-49-0x0000000007350000-0x0000000007364000-memory.dmp

memory/4324-50-0x0000000007440000-0x000000000745A000-memory.dmp

memory/4324-51-0x0000000007390000-0x0000000007398000-memory.dmp

memory/4324-54-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/844-56-0x0000000002990000-0x0000000002D8B000-memory.dmp

memory/3716-57-0x0000000002920000-0x0000000002D27000-memory.dmp

memory/3716-58-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/844-59-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/3792-60-0x0000000006110000-0x0000000006464000-memory.dmp

memory/3792-70-0x0000000070910000-0x000000007095C000-memory.dmp

memory/3792-71-0x0000000071090000-0x00000000713E4000-memory.dmp

memory/3792-81-0x0000000007940000-0x00000000079E3000-memory.dmp

memory/3792-82-0x0000000007C70000-0x0000000007C81000-memory.dmp

memory/3792-83-0x0000000007CC0000-0x0000000007CD4000-memory.dmp

memory/3716-84-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 92bb08ebd8e1c80070848d9333dc1054
SHA1 d29aec7d0b19b1f023a0dbeb8515eaee32ed51ce
SHA256 a57cdca3a75bb3aab88402373f6b1050a1e95f11e9d6107d47beb1f1a96ce553
SHA512 618b89172950c8b36ada058ea088499f546c764683e4eeabe3be09a8d563c68f55a6671d7786a4c259b962101a32bec854e0125c89a23cf2a9596bb6b00b36b3

memory/4356-98-0x0000000070910000-0x000000007095C000-memory.dmp

memory/4356-99-0x0000000071090000-0x00000000713E4000-memory.dmp

memory/2624-119-0x0000000006220000-0x0000000006574000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b6e4f15d3573b0c1f92cf0828d9f01bb
SHA1 f2228027ccefb6f75ec5ab1db911028a8578e1a1
SHA256 3ea6a0df03bd901f553e1f9166d31b6c33af33ea93b17c8a7b97702097da0bc3
SHA512 462f6d44d2232617036d1c37998791071dee32d3f6eb4b8ca36ba337780dce0451a993b7591a418865c92493f80904b1dda151cecfa353b0ee7472390e5b9306

memory/2624-121-0x0000000070910000-0x000000007095C000-memory.dmp

memory/2624-122-0x00000000710B0000-0x0000000071404000-memory.dmp

memory/844-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 37661e453fc7647eddf5f9e9b3778aa0
SHA1 ed7b3cc6d552c45befdbfc0fcf158ee591645d57
SHA256 3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7
SHA512 fcd7ffd51ebcfaa445ac08aa8201a7103df03036e0ec8b24a5dbf806232ac3a44cb107b3db1d3916746790eb6969d4179afb0ce618649c3ca651ab4f477e6f8d

memory/844-137-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b32e084df5a88df8cc88b292b0b32017
SHA1 4a289e0e73bbf580c91c41c1b07da81914d6cd3f
SHA256 895e1123e09e283a11932fb42fbc1564bee303ef6bd3792d9de77ae4d0d9e02b
SHA512 99d8d61c344fede0bb0ce9d8f30d205327117e44f395c1d4f9b5804ed7a062bd6f5144bf8566c30a4b41e8cb4afd2ade44fd43a85057f2995109930a6a213f40

memory/2320-150-0x0000000070910000-0x000000007095C000-memory.dmp

memory/2320-151-0x00000000710B0000-0x0000000071404000-memory.dmp

memory/112-170-0x0000000005EF0000-0x0000000006244000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 adbf7aabc6d1d74cd0d27273ef1ea468
SHA1 96d8382eacebfa73a41092339d641364bf84725e
SHA256 a642ee19ace941862b3d1911dac4a294e922fdff69b005635f94f92b4b0f9fb7
SHA512 a6e71ec79e3d2cdc897ed6113de68db470e4c486244bb17a2c685d5350a90c480f2384ab3e7d42abb5f745286b224d9c420eb9518a17466b4b6c45303a6765d5

memory/112-174-0x00000000064F0000-0x000000000653C000-memory.dmp

memory/112-175-0x0000000070830000-0x000000007087C000-memory.dmp

memory/112-176-0x00000000709B0000-0x0000000070D04000-memory.dmp

memory/112-186-0x00000000076E0000-0x0000000007783000-memory.dmp

memory/112-187-0x0000000007A30000-0x0000000007A41000-memory.dmp

memory/112-188-0x00000000062A0000-0x00000000062B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 eda22ccb814c2f8726e5fd4d14333d1b
SHA1 677d804695e9f4d84b56f9b924516df936a05e93
SHA256 63feb3a18ac52bd11544077a9df8d759fa3c239ff6eb96ef22e03cbb50414ad5
SHA512 dea94403cd5b6831bdc4ea1d4e3645591615f252dc8fb4ac778ce0eca63680475106314d5331d8676860e0fc87a7dbaa39b0726138374572354cf55c87322171

memory/4604-200-0x0000000070830000-0x000000007087C000-memory.dmp

memory/4604-201-0x00000000709B0000-0x0000000070D04000-memory.dmp

memory/964-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2648-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/264-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/964-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2648-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/964-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/264-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/964-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/964-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/264-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/964-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/964-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/964-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/964-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/964-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/964-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/964-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 10:20

Reported

2024-05-16 10:22

Platform

win11-20240508-en

Max time kernel

149s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2472 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2472 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2472 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2472 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\system32\cmd.exe
PID 2472 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 536 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2472 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2472 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2472 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2472 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2472 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2472 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2472 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\rss\csrss.exe
PID 2472 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\rss\csrss.exe
PID 2472 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe C:\Windows\rss\csrss.exe
PID 4660 wrote to memory of 4836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 4836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 4836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 5100 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 5100 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 5100 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 1908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 1908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 1908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 4624 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4660 wrote to memory of 4624 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1316 wrote to memory of 4876 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 4876 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 4876 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4876 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4876 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe

"C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe

"C:\Users\Admin\AppData\Local\Temp\3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp

Files

memory/4068-1-0x0000000002AA0000-0x0000000002EA5000-memory.dmp

memory/4068-2-0x0000000002EB0000-0x000000000379B000-memory.dmp

memory/4068-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2452-4-0x000000007449E000-0x000000007449F000-memory.dmp

memory/2452-5-0x0000000004870000-0x00000000048A6000-memory.dmp

memory/2452-6-0x0000000004EE0000-0x000000000550A000-memory.dmp

memory/2452-7-0x0000000074490000-0x0000000074C41000-memory.dmp

memory/2452-8-0x0000000074490000-0x0000000074C41000-memory.dmp

memory/2452-9-0x0000000005590000-0x00000000055B2000-memory.dmp

memory/2452-11-0x00000000057D0000-0x0000000005836000-memory.dmp

memory/2452-10-0x00000000056B0000-0x0000000005716000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ltm0xbw.efg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2452-20-0x0000000005840000-0x0000000005B97000-memory.dmp

memory/2452-21-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

memory/2452-22-0x0000000005D20000-0x0000000005D6C000-memory.dmp

memory/2452-23-0x0000000006250000-0x0000000006296000-memory.dmp

memory/2452-25-0x0000000070700000-0x000000007074C000-memory.dmp

memory/2452-24-0x0000000007120000-0x0000000007154000-memory.dmp

memory/2452-26-0x0000000070880000-0x0000000070BD7000-memory.dmp

memory/2452-37-0x0000000074490000-0x0000000074C41000-memory.dmp

memory/2452-36-0x0000000007180000-0x0000000007224000-memory.dmp

memory/2452-38-0x0000000074490000-0x0000000074C41000-memory.dmp

memory/2452-35-0x0000000007160000-0x000000000717E000-memory.dmp

memory/2452-39-0x00000000078F0000-0x0000000007F6A000-memory.dmp

memory/2452-40-0x00000000072A0000-0x00000000072BA000-memory.dmp

memory/2452-41-0x00000000072E0000-0x00000000072EA000-memory.dmp

memory/2452-42-0x00000000073A0000-0x0000000007436000-memory.dmp

memory/2452-43-0x0000000007310000-0x0000000007321000-memory.dmp

memory/2452-44-0x0000000007350000-0x000000000735E000-memory.dmp

memory/2452-45-0x0000000007360000-0x0000000007375000-memory.dmp

memory/2452-46-0x0000000007460000-0x000000000747A000-memory.dmp

memory/2452-47-0x0000000007450000-0x0000000007458000-memory.dmp

memory/2452-50-0x0000000074490000-0x0000000074C41000-memory.dmp

memory/4068-51-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4068-52-0x0000000002EB0000-0x000000000379B000-memory.dmp

memory/2472-54-0x0000000002A30000-0x0000000002E2B000-memory.dmp

memory/396-63-0x0000000005620000-0x0000000005977000-memory.dmp

memory/396-64-0x0000000006010000-0x000000000605C000-memory.dmp

memory/396-65-0x0000000070810000-0x000000007085C000-memory.dmp

memory/396-66-0x0000000070A20000-0x0000000070D77000-memory.dmp

memory/396-75-0x0000000006D20000-0x0000000006DC4000-memory.dmp

memory/396-76-0x0000000007040000-0x0000000007051000-memory.dmp

memory/396-77-0x0000000007090000-0x00000000070A5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3040-89-0x0000000006310000-0x0000000006667000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4b3052101f32061748bb57eb494f6b47
SHA1 e6eee647c585de6547989f672f49119f2676ff56
SHA256 2ab784ad5a25a1fd858cc438b7954227e39b9b4500b94706e71ee1c795acfb94
SHA512 42061563c04be31325e94de42dda8365e6020457e072211f51178e30e36936cc91647197e911cc8cca788b9511506f877c9ba57a8769d0c558b7a3814a0e570c

memory/3040-91-0x0000000070810000-0x000000007085C000-memory.dmp

memory/3040-92-0x0000000070A60000-0x0000000070DB7000-memory.dmp

memory/2240-110-0x00000000058B0000-0x0000000005C07000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 74a5a744087cdd23f809562428b67caf
SHA1 84d10a14737a064f31a670e289d98bfd832e72f6
SHA256 ebe58f8b30d5b09d25ae6af24d87a1c45dbd028ddafc25c9774840f151c05769
SHA512 fde7ba475731e53bc1326b6b9dfa9f960b17895ece383c5fc4713809ae174539b0c3309ab731e963fb59065b4629ebe0bcc13043df15bf0d943ce5f79cddfd17

memory/2240-112-0x0000000070810000-0x000000007085C000-memory.dmp

memory/2240-113-0x0000000070990000-0x0000000070CE7000-memory.dmp

memory/2472-124-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 37661e453fc7647eddf5f9e9b3778aa0
SHA1 ed7b3cc6d552c45befdbfc0fcf158ee591645d57
SHA256 3a4298139a4b2c70379737b8abfdae93c44a3650d205c0773c3e6e69c78ef5b7
SHA512 fcd7ffd51ebcfaa445ac08aa8201a7103df03036e0ec8b24a5dbf806232ac3a44cb107b3db1d3916746790eb6969d4179afb0ce618649c3ca651ab4f477e6f8d

memory/4836-137-0x0000000005AA0000-0x0000000005DF7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ab0334580951647271493082023e63eb
SHA1 c791e4b36c8c1188f5fb6b3ca624915f93fa5d51
SHA256 784b518ba7602e8f438e697a5a9949874cfcdf0eb44b0d3b07f35459adcffbdd
SHA512 5d234d8eb1ee9ba434ca41b6904a032ef1cd08e9a2250407e243c00d0379bbec61f4981cbb810e52f2a11ef6d6c0fa4d75964179afef0abd4f37e0904ba5d579

memory/4836-139-0x0000000006070000-0x00000000060BC000-memory.dmp

memory/4836-140-0x0000000070770000-0x00000000707BC000-memory.dmp

memory/4836-141-0x00000000709C0000-0x0000000070D17000-memory.dmp

memory/4836-150-0x00000000072A0000-0x0000000007344000-memory.dmp

memory/4836-151-0x0000000005E00000-0x0000000005E11000-memory.dmp

memory/4836-152-0x0000000005E40000-0x0000000005E55000-memory.dmp

memory/5100-160-0x0000000006500000-0x0000000006857000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b31b9144239fd64793c0d646719fb486
SHA1 2fe3fc43703c0c4e7fc7ddcfb79ada61e12154e9
SHA256 c607d2142a540cf7b3e47f55e18c4410d573b0f42e0b4116d082370feb75788f
SHA512 60bfdd95159c00e3010f5d456383fc1c9f7cee391e96f6414461485712c7d1f0794203770b312fdd0e9ed364f4f8c351f4669c500fdf41c07941e1bcba4c235a

memory/5100-164-0x0000000006A70000-0x0000000006ABC000-memory.dmp

memory/5100-165-0x0000000070690000-0x00000000706DC000-memory.dmp

memory/5100-166-0x00000000708E0000-0x0000000070C37000-memory.dmp

memory/5100-175-0x0000000007B40000-0x0000000007BE4000-memory.dmp

memory/5100-176-0x0000000005D30000-0x0000000005D41000-memory.dmp

memory/5100-177-0x0000000005D70000-0x0000000005D85000-memory.dmp

memory/1908-187-0x0000000006080000-0x00000000063D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a1face9d3ab399a1b3ac9d3f37c94249
SHA1 14d97b58e8e72c56e5718e5ab5df4e2d3df11ca6
SHA256 0b6bd6922ca914f95d2893988fc29a5516e91f1bb40dd44b02c22897fac31841
SHA512 cc812d046438470cc1159e9631ad57ac4e9c9fecf57ee01c1c8e6a64b0540f65099338c6720b6f53d50d9f90b95129e67d61e43553b380c484653f5660db5c9b

memory/1908-189-0x0000000070690000-0x00000000706DC000-memory.dmp

memory/1908-190-0x0000000070810000-0x0000000070B67000-memory.dmp

memory/2472-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4660-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2472-207-0x0000000002A30000-0x0000000002E2B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1316-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1316-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4660-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1372-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4660-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1372-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4660-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4660-246-0x0000000000400000-0x0000000000D1C000-memory.dmp