Malware Analysis Report

2024-12-08 02:05

Sample ID 240516-mc49nafh3s
Target 4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1
SHA256 4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1

Threat Level: Known bad

The file 4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 10:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 10:20

Reported

2024-05-16 10:22

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3084 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\system32\cmd.exe
PID 808 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\system32\cmd.exe
PID 4120 wrote to memory of 336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4120 wrote to memory of 336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 808 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\rss\csrss.exe
PID 808 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\rss\csrss.exe
PID 808 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\rss\csrss.exe
PID 2620 wrote to memory of 4372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 4372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 4372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 3736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 3736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 3736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 3792 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2620 wrote to memory of 3792 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2572 wrote to memory of 3712 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 3712 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 3712 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3712 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3712 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3712 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe

"C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3888,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe

"C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 88.221.83.216:443 www.bing.com tcp
US 8.8.8.8:53 216.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 c1b075e8-e869-4525-ae56-7aac2293773d.uuid.datadumpcloud.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server4.datadumpcloud.org udp
N/A 127.0.0.1:3478 udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server4.datadumpcloud.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.104:443 server4.datadumpcloud.org tcp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BG 185.82.216.104:443 server4.datadumpcloud.org tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/3084-1-0x0000000002950000-0x0000000002D4C000-memory.dmp

memory/3084-2-0x0000000002D50000-0x000000000363B000-memory.dmp

memory/3084-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1600-4-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

memory/1600-5-0x0000000004F60000-0x0000000004F96000-memory.dmp

memory/1600-6-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/1600-7-0x0000000005610000-0x0000000005C38000-memory.dmp

memory/1600-8-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/1600-9-0x0000000005570000-0x0000000005592000-memory.dmp

memory/1600-11-0x0000000005E10000-0x0000000005E76000-memory.dmp

memory/1600-10-0x0000000005CF0000-0x0000000005D56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e3glo0qc.1u0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1600-17-0x0000000005F80000-0x00000000062D4000-memory.dmp

memory/1600-22-0x0000000006510000-0x000000000652E000-memory.dmp

memory/1600-23-0x0000000006530000-0x000000000657C000-memory.dmp

memory/1600-24-0x0000000006AB0000-0x0000000006AF4000-memory.dmp

memory/1600-25-0x0000000007890000-0x0000000007906000-memory.dmp

memory/1600-26-0x0000000007F90000-0x000000000860A000-memory.dmp

memory/1600-27-0x0000000007850000-0x000000000786A000-memory.dmp

memory/1600-29-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/1600-30-0x00000000712A0000-0x00000000715F4000-memory.dmp

memory/1600-28-0x0000000007A80000-0x0000000007AB2000-memory.dmp

memory/1600-40-0x0000000007AC0000-0x0000000007ADE000-memory.dmp

memory/1600-41-0x0000000007AE0000-0x0000000007B83000-memory.dmp

memory/1600-42-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/1600-44-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/1600-43-0x0000000007BD0000-0x0000000007BDA000-memory.dmp

memory/1600-45-0x0000000007CA0000-0x0000000007D36000-memory.dmp

memory/1600-46-0x0000000007C00000-0x0000000007C11000-memory.dmp

memory/1600-47-0x0000000007C40000-0x0000000007C4E000-memory.dmp

memory/1600-48-0x0000000007C50000-0x0000000007C64000-memory.dmp

memory/1600-49-0x0000000007D40000-0x0000000007D5A000-memory.dmp

memory/1600-50-0x0000000007C80000-0x0000000007C88000-memory.dmp

memory/1600-53-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/808-55-0x0000000002A80000-0x0000000002E7C000-memory.dmp

memory/808-56-0x0000000002E80000-0x000000000376B000-memory.dmp

memory/1128-62-0x00000000055E0000-0x0000000005934000-memory.dmp

memory/1128-67-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/1128-68-0x00000000718F0000-0x0000000071C44000-memory.dmp

memory/1128-78-0x0000000006E80000-0x0000000006F23000-memory.dmp

memory/3084-80-0x0000000002950000-0x0000000002D4C000-memory.dmp

memory/3084-79-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1128-81-0x00000000071A0000-0x00000000071B1000-memory.dmp

memory/1128-82-0x00000000071F0000-0x0000000007204000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4416-95-0x0000000005DE0000-0x0000000006134000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 064a9380766056085d18f842899029e8
SHA1 ecc96f73a2c3bc841bd4b10acf5988d861b0661c
SHA256 7f198816d3651da891d8401af5174f3ca3f8bc028e4b8eb6ad719f4160131182
SHA512 e563653ca9ad6cfc2d037715aceb8001bb96791aef285ae8495f752511767473eeaba90b54f0711b7593265156894bb14313b14e63cc9056cda6736692f39757

memory/4416-97-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/4416-98-0x0000000070CC0000-0x0000000071014000-memory.dmp

memory/4368-109-0x00000000061F0000-0x0000000006544000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9a065774bec5231aa109da5bc30c75c8
SHA1 983c5e5def156e1a1c668c44b08aa569e3df80bb
SHA256 c3855142457edb7671fc35b5bf589791f3900179fd37fca5f6d862afc9615312
SHA512 db82e0525daafa3582865e12e2e3a968e33a5f9e71ee2535f8af50c0c94f9a483960f66164d43ffcfd38b983f540de831e04786b896c223abdce5108c10911ef

memory/4368-120-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/4368-121-0x00000000712C0000-0x0000000071614000-memory.dmp

memory/808-131-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 609fbcae43f2905439a1ed85955018ba
SHA1 803e7df2eef1ac2dd78fbc0aef061a5637dae590
SHA256 4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1
SHA512 dab4dabb6c0aeef5e502a14588990a461ba3281171522a32c38b9ee938446a965ba8917e8d17065c2c2ed99a54fa01aaa433638bb83b8f71e70c970d9b272ac5

memory/808-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6d7b98219205b8eb9e1c82d86f54c904
SHA1 0a3d0961126f6eaec4feaaf69d9e7bbb0feacaf4
SHA256 5344aee93d2fc6e3e65c9391516e309b07c97dd4fca96717a4a9b2d89971200d
SHA512 785e4b9de5fcfc03059ca3342eca17c921e887c181770d6d70483b383ce7a95aebba6761d22123b73805371984812a980969d01a1d83f70b3f336471543d302a

memory/4372-149-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/4372-150-0x00000000712C0000-0x0000000071614000-memory.dmp

memory/3736-171-0x0000000005C70000-0x0000000005FC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5e5e55bcb57f5744fe751fd3f5df4e09
SHA1 bbc09234c03ff312b877c403934a7cecae0cd0ac
SHA256 4a333039d1538eec480faac3757cba9a6bd4fa9a530281ee02002f7652293453
SHA512 36eab681882b765206145814a7e9d502c297289a13130e7c4c838f68745c46410ed4f48b115da4d71d7897a873a6047618d16739f7aa799aebbb59fb477f3cdd

memory/3736-173-0x0000000006200000-0x000000000624C000-memory.dmp

memory/3736-174-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/3736-175-0x0000000070BE0000-0x0000000070F34000-memory.dmp

memory/3736-185-0x0000000007410000-0x00000000074B3000-memory.dmp

memory/3736-186-0x0000000007790000-0x00000000077A1000-memory.dmp

memory/3736-187-0x0000000005AC0000-0x0000000005AD4000-memory.dmp

memory/452-194-0x0000000005D70000-0x00000000060C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d7e8aa5f9d0d3eb7127eaf1d80333a24
SHA1 2fd5c50a811dd7bd470c5890ed90ebb1daa6e813
SHA256 127024bf88c57bd45a6640846f38c03010425b8156deaff35f3992df8a2e6e87
SHA512 b41a072e3c214b0c62f7f154769389ed66fa31effb10ac95f77a537d517f286f492bdc45a3eca6bc38ba772edf66b8d63c8e16c6826391ca6cb40421ea2582c3

memory/452-200-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/452-201-0x00000000711F0000-0x0000000071544000-memory.dmp

memory/2620-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2572-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2620-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4392-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2572-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2620-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4392-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2620-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2620-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2620-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4392-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2620-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2620-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2620-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2620-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2620-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2620-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2620-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 10:20

Reported

2024-05-16 10:22

Platform

win11-20240426-en

Max time kernel

150s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\system32\cmd.exe
PID 3520 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\system32\cmd.exe
PID 3680 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3680 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3520 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\rss\csrss.exe
PID 3520 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\rss\csrss.exe
PID 3520 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe C:\Windows\rss\csrss.exe
PID 2520 wrote to memory of 4740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 4740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 4740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 3008 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 3008 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 3008 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 3616 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 3616 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 3616 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 3048 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2520 wrote to memory of 3048 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2148 wrote to memory of 884 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 884 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 884 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 4208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 884 wrote to memory of 4208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 884 wrote to memory of 4208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe

"C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe

"C:\Users\Admin\AppData\Local\Temp\4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 9a71d248-e731-4bc8-807e-de529a9c1a7c.uuid.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server15.datadumpcloud.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.104:443 server15.datadumpcloud.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.104:443 server15.datadumpcloud.org tcp
BG 185.82.216.104:443 server15.datadumpcloud.org tcp

Files

memory/1388-1-0x0000000002A80000-0x0000000002E82000-memory.dmp

memory/1388-2-0x0000000002E90000-0x000000000377B000-memory.dmp

memory/1388-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1492-4-0x000000007488E000-0x000000007488F000-memory.dmp

memory/1492-5-0x0000000003140000-0x0000000003176000-memory.dmp

memory/1492-6-0x0000000005890000-0x0000000005EBA000-memory.dmp

memory/1492-7-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1492-8-0x0000000005730000-0x0000000005752000-memory.dmp

memory/1492-9-0x0000000006030000-0x0000000006096000-memory.dmp

memory/1492-10-0x00000000060A0000-0x0000000006106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_usxkevb0.i11.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1492-19-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1492-20-0x0000000006110000-0x0000000006467000-memory.dmp

memory/1492-21-0x00000000065B0000-0x00000000065CE000-memory.dmp

memory/1492-22-0x0000000006600000-0x000000000664C000-memory.dmp

memory/1492-23-0x0000000007740000-0x0000000007786000-memory.dmp

memory/1492-25-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/1492-24-0x00000000079F0000-0x0000000007A24000-memory.dmp

memory/1492-26-0x0000000070D40000-0x0000000071097000-memory.dmp

memory/1492-35-0x0000000007A30000-0x0000000007A4E000-memory.dmp

memory/1492-36-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1492-37-0x0000000007A50000-0x0000000007AF4000-memory.dmp

memory/1492-38-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1492-40-0x0000000007B80000-0x0000000007B9A000-memory.dmp

memory/1492-39-0x00000000081C0000-0x000000000883A000-memory.dmp

memory/1492-41-0x0000000007BC0000-0x0000000007BCA000-memory.dmp

memory/1492-42-0x0000000007CD0000-0x0000000007D66000-memory.dmp

memory/1492-43-0x0000000007BE0000-0x0000000007BF1000-memory.dmp

memory/1492-44-0x0000000007C30000-0x0000000007C3E000-memory.dmp

memory/1492-45-0x0000000007C40000-0x0000000007C55000-memory.dmp

memory/1492-46-0x0000000007C90000-0x0000000007CAA000-memory.dmp

memory/1492-47-0x0000000007CB0000-0x0000000007CB8000-memory.dmp

memory/1492-50-0x0000000074880000-0x0000000075031000-memory.dmp

memory/3520-52-0x0000000002A40000-0x0000000002E3B000-memory.dmp

memory/712-61-0x0000000006300000-0x0000000006657000-memory.dmp

memory/712-62-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/712-63-0x0000000070D00000-0x0000000071057000-memory.dmp

memory/712-72-0x0000000007A10000-0x0000000007AB4000-memory.dmp

memory/712-73-0x0000000007D40000-0x0000000007D51000-memory.dmp

memory/1388-74-0x0000000002A80000-0x0000000002E82000-memory.dmp

memory/1388-75-0x0000000002E90000-0x000000000377B000-memory.dmp

memory/712-76-0x0000000007D90000-0x0000000007DA5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2132-88-0x00000000055B0000-0x0000000005907000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 84012cc598c5065a163e93efb3c85087
SHA1 85dcaecbc29f2fa4b1e671015570c02caee990e5
SHA256 2483fccf7dd553a713ba65ba04431468483bc69287a96576bbb330d0292a055c
SHA512 53c3364515657dcb2234daaf31eb14f954aadda932591bd0e0e1b383aca1b00e174360709f240980aa7732bc6f9a15836d0d844284e5ba662d3c78838fb2d60d

memory/1388-90-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2132-91-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/2132-92-0x0000000070C70000-0x0000000070FC7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cf3e9bcff5da7ca23ee3c3bf4f680b06
SHA1 662e3f8a27cc6d064415af9f7c2f679d53479ce6
SHA256 36303a3b79c50a68c75f03cd84202e623e6cd5bbb9dc2779e7add7b03eef111f
SHA512 a16d7be19721410b73bc245c2febae3ae309c5998075913d7f1520e94195220ecfafc852c8c9b24407458b44ffc447b7638e0bf293c766b7f08f56e0be2bd19c

memory/244-111-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/244-112-0x0000000070D40000-0x0000000071097000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 609fbcae43f2905439a1ed85955018ba
SHA1 803e7df2eef1ac2dd78fbc0aef061a5637dae590
SHA256 4c5247759d4e4d4c312887bd79fc5fef793d912e63381719ac15d7c6e6c7d1a1
SHA512 dab4dabb6c0aeef5e502a14588990a461ba3281171522a32c38b9ee938446a965ba8917e8d17065c2c2ed99a54fa01aaa433638bb83b8f71e70c970d9b272ac5

memory/3520-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0818c5739aecbb84d8f05a2945036142
SHA1 80811940cb82d9c014f65c30c086f4fa1e16f1ea
SHA256 55ff7f3068b93ccd9311b3140db6dcad8879a5ded3df11ee8e3ce0daad4cc9a3
SHA512 0a30a240874ea177b4fe9002e22657d53b3f8896b24c09318ec06de5f75e0fba6edc59371dfbb38d44d69478f864b8a8edae90ebd0fa73e936d009ed57afa68f

memory/4740-137-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/4740-138-0x0000000070D40000-0x0000000071097000-memory.dmp

memory/3008-153-0x0000000006230000-0x0000000006587000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f86ed8935940ef0c370e7b8b73bf5079
SHA1 5677f1785d2a59f6ff1ebaf17b0aeb117233c9a8
SHA256 a63bea5998eef4e1ca714f07598d8fe41918bbf4c8f488a36bbc1f6a2eddfe70
SHA512 8314170c37f73c9a612fb9a0492c2c61db858f095ce70933ba36ac360315352f6029a9560ca74dafc06017a9ac3ad292f0037dee5ca275925cbabdad0e8cc67a

memory/3008-158-0x0000000006D30000-0x0000000006D7C000-memory.dmp

memory/3008-159-0x0000000070A10000-0x0000000070A5C000-memory.dmp

memory/3008-160-0x0000000070C60000-0x0000000070FB7000-memory.dmp

memory/3008-169-0x0000000007A40000-0x0000000007AE4000-memory.dmp

memory/3008-170-0x0000000007DE0000-0x0000000007DF1000-memory.dmp

memory/3008-171-0x00000000065F0000-0x0000000006605000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6e69047aa173184123a8b1f057835df3
SHA1 480ed58437b2820a2f3d7f9564a79c199cda8b5c
SHA256 03df88ba64fa7bd13d628d62a43e62156dc5b1228afc011ea595e537479f74b1
SHA512 e46745d9853d9ea5a08f053bb611f70749e62db4492fa8bfc5595784c69b6ca6859087094c10717f3f6f3c696535bf7ec93879b057ee6057db9794cfb3e2275b

memory/3616-184-0x0000000070C60000-0x0000000070FB7000-memory.dmp

memory/3616-183-0x0000000070A10000-0x0000000070A5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2520-199-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2148-204-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2148-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2364-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2520-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2364-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2520-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2520-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2364-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2520-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2520-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2520-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2520-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2520-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2520-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2520-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2520-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2520-243-0x0000000000400000-0x0000000000D1C000-memory.dmp