Malware Analysis Report

2024-12-08 02:04

Sample ID 240516-megldafh9t
Target 311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a
SHA256 311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a

Threat Level: Known bad

The file 311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 10:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 10:22

Reported

2024-05-16 10:25

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4264 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\system32\cmd.exe
PID 3256 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\system32\cmd.exe
PID 2544 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2544 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3256 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\rss\csrss.exe
PID 3256 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\rss\csrss.exe
PID 3256 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\rss\csrss.exe
PID 4924 wrote to memory of 3728 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 3728 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 3728 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 1644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 1644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 1644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4352 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4924 wrote to memory of 4352 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2116 wrote to memory of 3584 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 3584 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 3584 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3584 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3584 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe

"C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe

"C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BE 88.221.83.242:443 www.bing.com tcp
US 8.8.8.8:53 242.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 f5e17c61-0164-4489-ae84-d1ff20c13a07.uuid.myfastupdate.org udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server4.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun4.l.google.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server4.myfastupdate.org tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server4.myfastupdate.org tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BG 185.82.216.111:443 server4.myfastupdate.org tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/4264-1-0x0000000002990000-0x0000000002D8B000-memory.dmp

memory/4264-2-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/4264-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2892-4-0x000000007455E000-0x000000007455F000-memory.dmp

memory/2892-5-0x0000000005360000-0x0000000005396000-memory.dmp

memory/2892-6-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/2892-7-0x00000000059D0000-0x0000000005FF8000-memory.dmp

memory/2892-8-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/2892-9-0x00000000058F0000-0x0000000005912000-memory.dmp

memory/2892-10-0x00000000061F0000-0x0000000006256000-memory.dmp

memory/2892-11-0x0000000006260000-0x00000000062C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cucqecdy.sim.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2892-21-0x00000000062D0000-0x0000000006624000-memory.dmp

memory/2892-22-0x00000000068D0000-0x00000000068EE000-memory.dmp

memory/2892-23-0x0000000006970000-0x00000000069BC000-memory.dmp

memory/2892-24-0x0000000006E20000-0x0000000006E64000-memory.dmp

memory/2892-25-0x0000000007BE0000-0x0000000007C56000-memory.dmp

memory/2892-26-0x00000000082E0000-0x000000000895A000-memory.dmp

memory/2892-27-0x0000000007C80000-0x0000000007C9A000-memory.dmp

memory/2892-29-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/2892-30-0x0000000070AF0000-0x0000000070E44000-memory.dmp

memory/2892-28-0x0000000007E40000-0x0000000007E72000-memory.dmp

memory/2892-41-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/2892-40-0x0000000007E80000-0x0000000007E9E000-memory.dmp

memory/2892-42-0x0000000007EA0000-0x0000000007F43000-memory.dmp

memory/2892-43-0x0000000007F90000-0x0000000007F9A000-memory.dmp

memory/2892-44-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/2892-45-0x00000000080A0000-0x0000000008136000-memory.dmp

memory/2892-46-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/2892-47-0x0000000007FA0000-0x0000000007FB1000-memory.dmp

memory/2892-48-0x0000000007FE0000-0x0000000007FEE000-memory.dmp

memory/2892-49-0x0000000008000000-0x0000000008014000-memory.dmp

memory/2892-50-0x0000000008050000-0x000000000806A000-memory.dmp

memory/2892-51-0x0000000008040000-0x0000000008048000-memory.dmp

memory/2892-54-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/3256-56-0x0000000002950000-0x0000000002D4C000-memory.dmp

memory/4264-57-0x0000000002990000-0x0000000002D8B000-memory.dmp

memory/3256-58-0x0000000002D50000-0x000000000363B000-memory.dmp

memory/3076-59-0x0000000005DC0000-0x0000000006114000-memory.dmp

memory/3076-70-0x0000000070B70000-0x0000000070EC4000-memory.dmp

memory/3076-69-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/3076-80-0x00000000075E0000-0x0000000007683000-memory.dmp

memory/3076-81-0x00000000078D0000-0x00000000078E1000-memory.dmp

memory/3076-82-0x0000000007920000-0x0000000007934000-memory.dmp

memory/4264-85-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4352-96-0x00000000055F0000-0x0000000005944000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e04bc306d01561228be786e43946b38b
SHA1 9665542728c3ff16f499c9bde72e57346c6d8c24
SHA256 26843b151bc25e8edc97893aea94a50541f665282b570c322c28914c15118aa7
SHA512 47536eef44bcd859b25c7eae1663268b8a406f65f798596fa93c929d413d5ec14738f24b996dad7f146eb65886a48c82fdb660cfb5872f30fc29e2bb3edee385

memory/4352-98-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/4352-99-0x0000000070570000-0x00000000708C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 61d644f904af641a209fc21dcb78250f
SHA1 a0d1e7da8accecf67dfdad0808cf29f253f95b6a
SHA256 6d959a483455a779036776dd1be9e7376c1c61e02f5e2a34c03e0f93aaff0cd6
SHA512 67b9f669588ff83e50b0d0fe26f96af4653641b1bf9033acdf205c6ef60385bd276a95cbfbc4d432af44753c1b0db88376ddf49cd95d8939925272676cd79d47

memory/3212-120-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/3212-121-0x0000000070B70000-0x0000000070EC4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 66704c4648d3dd1ece32a06644386ff2
SHA1 63b9d767df00cb65447992ef7353527d7caee2c6
SHA256 311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a
SHA512 74c7a6ee75fca3a12bc5dac376dd8d09b7999c23db59882d20e30aa283397d1a54fb2bc2304184c129fda123dfe8153aa11e182151dee9fd7c3144b6dbf11f22

memory/3256-137-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3728-147-0x0000000005F00000-0x0000000006254000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 11051b9ad2df6556e3dec51e8e565367
SHA1 5ff3bd53910abbbcec4c4c0bbb44c1a8a246dfc5
SHA256 91af0fa35c52133735a1239fe064883de228df9aaff977f462dd03ee85b04aba
SHA512 f8d61f2c0c29a3bd622bac6d1bc029f9da215a1430a916c09690bc47fc03fb21ed357361e210b8e15616a368c8d3fb1d6fe3314256fbb8ac027c236194df647b

memory/3728-149-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/3728-150-0x0000000070590000-0x00000000708E4000-memory.dmp

memory/2232-162-0x00000000054F0000-0x0000000005844000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a3bb36e02b3b91d99b9000062773cf04
SHA1 24976775af571c6113963af943bfbe6f0bf6a386
SHA256 d0acb0c5f3e1a206aa10f52e66a69f236e18d6d8ff7f81d016b2457a6bcafa64
SHA512 befb496b11473602ded3b12d847cfa905541114d85412af61dbde53738127960a013da33b782b5e0785368dcb1a764bfc13ca366ea2236b848911ed7b8a2f608

memory/2232-173-0x0000000005D90000-0x0000000005DDC000-memory.dmp

memory/2232-174-0x0000000070310000-0x000000007035C000-memory.dmp

memory/2232-175-0x0000000070AA0000-0x0000000070DF4000-memory.dmp

memory/2232-185-0x0000000006E40000-0x0000000006EE3000-memory.dmp

memory/2232-186-0x0000000007010000-0x0000000007021000-memory.dmp

memory/2232-187-0x00000000059C0000-0x00000000059D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 953d0ce7088a9bcc694546715c7faf41
SHA1 e18b72fe55030aa91a6c2e82d3f9cd48b1c6f08b
SHA256 08bef6cc6d02ca12a35b89558987155d8b631093954977400ae6fa42ce35bf17
SHA512 18ca3e5f2787850fa1fa8bf82250a0801020f99cd0722058be0d5aa4f3099a5d84545a859aaf5a4e17e955268133634dadcd92cf4147dd093cc3096489be432f

memory/1644-199-0x0000000070310000-0x000000007035C000-memory.dmp

memory/1644-200-0x0000000070AA0000-0x0000000070DF4000-memory.dmp

memory/4924-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3256-219-0x0000000002950000-0x0000000002D4C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2116-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/440-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2116-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4924-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/440-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4924-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4924-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4924-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/440-242-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4924-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4924-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4924-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4924-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4924-261-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4924-266-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4924-269-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4924-273-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 10:22

Reported

2024-05-16 10:25

Platform

win11-20240508-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\system32\cmd.exe
PID 2352 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\system32\cmd.exe
PID 3460 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3460 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2352 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\rss\csrss.exe
PID 2352 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\rss\csrss.exe
PID 2352 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe C:\Windows\rss\csrss.exe
PID 488 wrote to memory of 1924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 488 wrote to memory of 1924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 488 wrote to memory of 1924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 488 wrote to memory of 3904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 488 wrote to memory of 3904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 488 wrote to memory of 3904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 488 wrote to memory of 4232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 488 wrote to memory of 4232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 488 wrote to memory of 4232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 488 wrote to memory of 5048 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 488 wrote to memory of 5048 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2428 wrote to memory of 4728 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 4728 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 4728 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 3616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4728 wrote to memory of 3616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4728 wrote to memory of 3616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe

"C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe

"C:\Users\Admin\AppData\Local\Temp\311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server14.myfastupdate.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
BG 185.82.216.111:443 server14.myfastupdate.org tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.111:443 server14.myfastupdate.org tcp

Files

memory/2148-1-0x0000000002AC0000-0x0000000002EC8000-memory.dmp

memory/2148-2-0x0000000002ED0000-0x00000000037BB000-memory.dmp

memory/2148-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3124-4-0x000000007426E000-0x000000007426F000-memory.dmp

memory/3124-5-0x0000000004DE0000-0x0000000004E16000-memory.dmp

memory/3124-7-0x0000000074260000-0x0000000074A11000-memory.dmp

memory/3124-6-0x00000000054F0000-0x0000000005B1A000-memory.dmp

memory/3124-8-0x0000000005C20000-0x0000000005C42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eln5vhnn.qgf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3124-10-0x0000000005DA0000-0x0000000005E06000-memory.dmp

memory/3124-9-0x0000000005CC0000-0x0000000005D26000-memory.dmp

memory/3124-19-0x0000000074260000-0x0000000074A11000-memory.dmp

memory/3124-20-0x0000000005E10000-0x0000000006167000-memory.dmp

memory/3124-21-0x00000000062C0000-0x00000000062DE000-memory.dmp

memory/3124-22-0x00000000062F0000-0x000000000633C000-memory.dmp

memory/3124-23-0x0000000006810000-0x0000000006856000-memory.dmp

memory/3124-25-0x00000000704D0000-0x000000007051C000-memory.dmp

memory/3124-26-0x0000000070650000-0x00000000709A7000-memory.dmp

memory/3124-35-0x0000000007710000-0x000000000772E000-memory.dmp

memory/3124-37-0x0000000007730000-0x00000000077D4000-memory.dmp

memory/3124-36-0x0000000074260000-0x0000000074A11000-memory.dmp

memory/3124-24-0x00000000076B0000-0x00000000076E4000-memory.dmp

memory/3124-38-0x0000000074260000-0x0000000074A11000-memory.dmp

memory/3124-40-0x0000000007860000-0x000000000787A000-memory.dmp

memory/3124-39-0x0000000007EA0000-0x000000000851A000-memory.dmp

memory/3124-41-0x00000000078A0000-0x00000000078AA000-memory.dmp

memory/3124-42-0x00000000079B0000-0x0000000007A46000-memory.dmp

memory/3124-43-0x00000000078C0000-0x00000000078D1000-memory.dmp

memory/3124-44-0x0000000007910000-0x000000000791E000-memory.dmp

memory/3124-45-0x0000000007920000-0x0000000007935000-memory.dmp

memory/3124-46-0x0000000007970000-0x000000000798A000-memory.dmp

memory/3124-47-0x0000000007960000-0x0000000007968000-memory.dmp

memory/3124-50-0x0000000074260000-0x0000000074A11000-memory.dmp

memory/2352-52-0x0000000002A60000-0x0000000002E62000-memory.dmp

memory/2612-61-0x00000000704D0000-0x000000007051C000-memory.dmp

memory/2612-62-0x0000000070650000-0x00000000709A7000-memory.dmp

memory/2612-71-0x0000000006E20000-0x0000000006EC4000-memory.dmp

memory/2612-72-0x0000000007150000-0x0000000007161000-memory.dmp

memory/2612-73-0x00000000071A0000-0x00000000071B5000-memory.dmp

memory/2148-76-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 93c6c5698ff89bf1ac7f30736a604db3
SHA1 f71f08f7918191748385a5ee3cb229f8c1464a89
SHA256 dcde811ec19679a4463855fbc11988e92e4d2ad3003a38996d63fdadfeb2ccb9
SHA512 d06f20d6363d36fec1315292220d7475db326b9a3abe6e103419b1cd6a81d1d10256578a63f3e265bbe21a05b8ff5e11e797f5d7be656eba47fdc23a1e947cbd

memory/2328-87-0x00000000704D0000-0x000000007051C000-memory.dmp

memory/2328-88-0x0000000070650000-0x00000000709A7000-memory.dmp

memory/2148-97-0x0000000002AC0000-0x0000000002EC8000-memory.dmp

memory/2148-98-0x0000000002ED0000-0x00000000037BB000-memory.dmp

memory/2752-108-0x0000000005D20000-0x0000000006077000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0e4921de9fd077e244b5935600f7c66d
SHA1 ce24b9c323215938f292ef7ad39992d74a01c9a7
SHA256 69a0b7208dc0b8d11ac75ab04c2c56cb59fd9a0d44f54ab11178f455d6f0c87d
SHA512 adb97b212c84b2eb51d73d87102553138620ebefabb6dc4a3c1b058b973878d78f2b1dda40c74ba37cabeb505a6c38066d3b7ded0f7a953ad4c3304bded413c8

memory/2752-110-0x00000000704D0000-0x000000007051C000-memory.dmp

memory/2752-111-0x0000000070660000-0x00000000709B7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 66704c4648d3dd1ece32a06644386ff2
SHA1 63b9d767df00cb65447992ef7353527d7caee2c6
SHA256 311b93602be5954fd0fd5c5b27bd8dbedf1ed5f1276255c2b242719a00a1297a
SHA512 74c7a6ee75fca3a12bc5dac376dd8d09b7999c23db59882d20e30aa283397d1a54fb2bc2304184c129fda123dfe8153aa11e182151dee9fd7c3144b6dbf11f22

memory/1924-134-0x00000000055C0000-0x0000000005917000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ccf425411ada0b7725e46a6a8fc21ba9
SHA1 4b844c573c1309052b59b4ddc5d0f0b8f3d06bb3
SHA256 59e9bb76afda584b44ace0e486bdb52c8bbc85b02c443aebc81207644bfc30d8
SHA512 c152212ff8da0651d4f169abc8fe34e7d3b33ab3550581beeb2c55fbc3c3077a158edc76408c8762f23ed314b9be5c72cb0e29ea551b04dd8d4501da3d179642

memory/1924-136-0x00000000704D0000-0x000000007051C000-memory.dmp

memory/1924-137-0x00000000706E0000-0x0000000070A37000-memory.dmp

memory/2352-146-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3904-153-0x00000000056D0000-0x0000000005A27000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 036126162601c38f794897e866d315eb
SHA1 f51d1c0f52cacb081685205dd0b560ef42e1c827
SHA256 0c28a475bd75e0e501eb97dfbf90d996f043f2669ccd4342ffa8abf595f99490
SHA512 acd341d53bc53fa10c170a44832f341ca1267fa83a78ad59bf7a9ddb0879a473330be4d608719711c7e5ff91729461f4a3564a1c43b91cf48e817ed82933c20f

memory/3904-158-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

memory/3904-159-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/3904-160-0x0000000070640000-0x0000000070997000-memory.dmp

memory/3904-169-0x0000000006EB0000-0x0000000006F54000-memory.dmp

memory/3904-171-0x0000000007250000-0x0000000007261000-memory.dmp

memory/3904-172-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/4232-182-0x0000000006350000-0x00000000066A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2f4bdc91fb0ecb85748a94afae685612
SHA1 e6c9d6ed1245856f9277dc5d8848db84ad6143f4
SHA256 f017b8b0717d157ef71a432d02ee720cb80ce14abaaeadf863435f2f91cd2210
SHA512 6667658216ddc21df62adde02a0c0e4f2b795877fdd9826e190e795b1a4664f5b071e79de0c66fd1d915cbe0c5a2a2da38c27240bc101d8863e13b58c2e57c0e

memory/4232-185-0x0000000070570000-0x00000000708C7000-memory.dmp

memory/4232-184-0x00000000703F0000-0x000000007043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/488-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2352-203-0x0000000002A60000-0x0000000002E62000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2428-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2428-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1980-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/488-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/488-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1980-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/488-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/488-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1980-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/488-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/488-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/488-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/488-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/488-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/488-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/488-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/488-257-0x0000000000400000-0x0000000000D1C000-memory.dmp