Malware Analysis Report

2024-12-08 02:04

Sample ID 240516-mfg9asge45
Target ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a
SHA256 ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a

Threat Level: Known bad

The file ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 10:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 10:24

Reported

2024-05-16 10:26

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1976 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1976 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\system32\cmd.exe
PID 3892 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\system32\cmd.exe
PID 4268 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4268 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3892 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\rss\csrss.exe
PID 3892 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\rss\csrss.exe
PID 3892 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\rss\csrss.exe
PID 4100 wrote to memory of 4308 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4100 wrote to memory of 4308 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4100 wrote to memory of 4308 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4100 wrote to memory of 1276 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4100 wrote to memory of 1276 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4100 wrote to memory of 1276 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4100 wrote to memory of 4524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4100 wrote to memory of 4524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4100 wrote to memory of 4524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4100 wrote to memory of 3424 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4100 wrote to memory of 3424 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4440 wrote to memory of 1612 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 1612 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 1612 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 3460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1612 wrote to memory of 3460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1612 wrote to memory of 3460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe

"C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4292,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4572 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe

"C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 2.17.107.129:443 www.bing.com tcp
US 8.8.8.8:53 129.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 c29a48f4-c7aa-48be-807d-7a5b8194b3c9.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server2.thestatsfiles.ru udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp
US 8.8.8.8:53 107.242.123.52.in-addr.arpa udp

Files

memory/1976-1-0x0000000002950000-0x0000000002D55000-memory.dmp

memory/1976-2-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/1976-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1000-4-0x0000000074F8E000-0x0000000074F8F000-memory.dmp

memory/1000-5-0x0000000002680000-0x00000000026B6000-memory.dmp

memory/1000-6-0x0000000004E30000-0x0000000005458000-memory.dmp

memory/1000-7-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/1000-8-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/1000-9-0x0000000004DA0000-0x0000000004DC2000-memory.dmp

memory/1000-11-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/1000-10-0x00000000054D0000-0x0000000005536000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jb3hbouh.gr0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1000-21-0x00000000056B0000-0x0000000005A04000-memory.dmp

memory/1000-22-0x0000000005C70000-0x0000000005C8E000-memory.dmp

memory/1000-23-0x0000000005CA0000-0x0000000005CEC000-memory.dmp

memory/1000-24-0x00000000061D0000-0x0000000006214000-memory.dmp

memory/1000-25-0x0000000006F90000-0x0000000007006000-memory.dmp

memory/1000-26-0x0000000007690000-0x0000000007D0A000-memory.dmp

memory/1000-27-0x0000000007030000-0x000000000704A000-memory.dmp

memory/1000-29-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/1000-28-0x00000000071F0000-0x0000000007222000-memory.dmp

memory/1000-30-0x0000000070FC0000-0x0000000071314000-memory.dmp

memory/1000-40-0x0000000007230000-0x000000000724E000-memory.dmp

memory/1000-41-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/1000-43-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/1000-42-0x0000000007250000-0x00000000072F3000-memory.dmp

memory/1000-44-0x0000000007340000-0x000000000734A000-memory.dmp

memory/1000-45-0x0000000007450000-0x00000000074E6000-memory.dmp

memory/1000-46-0x0000000007350000-0x0000000007361000-memory.dmp

memory/1000-47-0x0000000007390000-0x000000000739E000-memory.dmp

memory/1000-48-0x00000000073B0000-0x00000000073C4000-memory.dmp

memory/1000-49-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/1000-50-0x00000000073E0000-0x00000000073E8000-memory.dmp

memory/1000-53-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/1976-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1976-56-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/3892-58-0x0000000002A10000-0x0000000002E0C000-memory.dmp

memory/3892-59-0x0000000002E10000-0x00000000036FB000-memory.dmp

memory/4052-69-0x0000000005730000-0x0000000005A84000-memory.dmp

memory/4052-70-0x0000000005E70000-0x0000000005EBC000-memory.dmp

memory/4052-71-0x0000000070F20000-0x0000000070F6C000-memory.dmp

memory/4052-72-0x00000000716C0000-0x0000000071A14000-memory.dmp

memory/4052-82-0x0000000006F50000-0x0000000006FF3000-memory.dmp

memory/4052-83-0x0000000007270000-0x0000000007281000-memory.dmp

memory/4052-84-0x00000000072C0000-0x00000000072D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c9a59615ecc6c0ddaeb3be40c8c79ab9
SHA1 7c72b0db1687f90a6c7ac1bc81096078736a4817
SHA256 b68eb99dcaedb619916c0d2c058ed0d0c0261a255bba45f1f5a33616abb46df6
SHA512 af8eb2550d0405ceba21ef9773f74c07908482d5649aabf05f5c92cd35bdcaa237803430badabd2c32145cde89a153c0f2f592413b062933e5b5a0f3aab7f242

memory/444-99-0x00000000716C0000-0x0000000071A14000-memory.dmp

memory/444-98-0x0000000070F20000-0x0000000070F6C000-memory.dmp

memory/4720-119-0x00000000056E0000-0x0000000005A34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 942fea5c524f4cf1509dec93a1bbc386
SHA1 c4601f216bd7d9fd8da59ad6ed1f6a4efae237af
SHA256 1261c6ddf69cba3e6b9452fde7429e14b58fe293b807c7317fca15ba30c2db34
SHA512 15ce6f794283f21c90f4b6d1205aba1667040831eee52dfcd8a1579c6d525024e55c544ac8bc14c475296db28850e83220a5f90c115382d6de39499ce5b88f33

memory/4720-121-0x0000000070F20000-0x0000000070F6C000-memory.dmp

memory/4720-122-0x00000000710A0000-0x00000000713F4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 8138c6f377a0a3169c6ccd074b5c8f86
SHA1 d29f58c813da21c931fc6fa432414221127884f6
SHA256 ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a
SHA512 3547d7f938839c8e0bf7aa2166d5db000b0cd4d1c40393420ed054173729a8386601174760bc39684c4522f9978fc2b58eae2ac25c018d8eb49dda941c627b9d

memory/3892-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4308-148-0x0000000005A00000-0x0000000005D54000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7b7af4a60fb3e686e0643f7aa4d6f56a
SHA1 283d9014aac82d095414e8253602307a3148f789
SHA256 e520153eb202b6003d9d36e737054bbbe78aa73028952f92f0fa0a1bc22d88e2
SHA512 0e84ba983dab0cdeddb0df748feb92b32978f45626d5de26917a2476c99bf8ee265bef48f17597277b30adfbdb983019ba6a0aa97a72517364c305bffa06072d

memory/4308-150-0x0000000006500000-0x000000000654C000-memory.dmp

memory/4308-151-0x0000000070E80000-0x0000000070ECC000-memory.dmp

memory/4308-152-0x0000000071030000-0x0000000071384000-memory.dmp

memory/4308-162-0x0000000007220000-0x00000000072C3000-memory.dmp

memory/4308-163-0x0000000005D90000-0x0000000005DA1000-memory.dmp

memory/4308-164-0x0000000005DD0000-0x0000000005DE4000-memory.dmp

memory/1276-175-0x0000000005750000-0x0000000005AA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 05cf7dcab8a9d27d0d3303155f84f734
SHA1 8533d6a9558c7ed7cbdffcbab3f2170b17dbf1d6
SHA256 5e3bdc25cd821b3ef52cce3700f8ed6fd09e7119280f9b11099e4bf94a94a903
SHA512 5aad94f574f5779a8554b12d5ec973696542d33f4fe7fab3904c8cbbff38b785c44898e95f0ec5861b41ca4b3a60ea322f9fe5bc5ee2089f57852b4f9df55da6

memory/1276-177-0x00000000062A0000-0x00000000062EC000-memory.dmp

memory/1276-178-0x0000000070DA0000-0x0000000070DEC000-memory.dmp

memory/1276-179-0x0000000070F30000-0x0000000071284000-memory.dmp

memory/1276-189-0x0000000007050000-0x00000000070F3000-memory.dmp

memory/1276-190-0x0000000007350000-0x0000000007361000-memory.dmp

memory/1276-191-0x00000000056C0000-0x00000000056D4000-memory.dmp

memory/4524-193-0x0000000005A40000-0x0000000005D94000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 414b608d1f0a8932a3b0c9d56b8a9264
SHA1 1005a519fa1ae865106728ba3fabf8f2c3e109b7
SHA256 4d839bdfe5cb5442f2c63c163b0bcedb2df493192384cff61b14149ca07e0d89
SHA512 9c9c8ebe1a8ba0c3667f1c2948c9009ee842f6820a38de07d20be3a271c6bc065fe4ed19309464c7a08aff55937bcebba4c8501230eb46035c76dc62f017a372

memory/4524-204-0x0000000070DA0000-0x0000000070DEC000-memory.dmp

memory/4524-205-0x0000000071530000-0x0000000071884000-memory.dmp

memory/4100-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4100-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4440-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5024-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4440-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4100-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5024-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4100-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4100-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5024-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4100-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4100-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4100-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4100-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4100-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4100-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4100-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4100-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 10:24

Reported

2024-05-16 10:27

Platform

win11-20240508-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1836 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1836 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1836 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1836 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\system32\cmd.exe
PID 1836 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\system32\cmd.exe
PID 1188 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1188 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1836 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1836 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1836 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1836 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1836 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1836 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1836 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\rss\csrss.exe
PID 1836 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\rss\csrss.exe
PID 1836 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe C:\Windows\rss\csrss.exe
PID 1068 wrote to memory of 3884 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 3884 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 3884 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 1624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 1624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 1624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 4092 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 4092 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 4092 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 4756 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1068 wrote to memory of 4756 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1004 wrote to memory of 952 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 952 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 952 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 952 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 952 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe

"C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe

"C:\Users\Admin\AppData\Local\Temp\ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 4f362317-736d-43f0-940a-4fd0192b57e9.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 server1.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp

Files

memory/2528-1-0x0000000002A20000-0x0000000002E1C000-memory.dmp

memory/2528-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/2528-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3152-4-0x000000007451E000-0x000000007451F000-memory.dmp

memory/3152-5-0x0000000002E80000-0x0000000002EB6000-memory.dmp

memory/3152-6-0x0000000074510000-0x0000000074CC1000-memory.dmp

memory/3152-7-0x0000000005770000-0x0000000005D9A000-memory.dmp

memory/3152-9-0x0000000074510000-0x0000000074CC1000-memory.dmp

memory/3152-8-0x00000000055B0000-0x00000000055D2000-memory.dmp

memory/3152-10-0x0000000005650000-0x00000000056B6000-memory.dmp

memory/3152-11-0x00000000056C0000-0x0000000005726000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ggtfw0bu.pc4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3152-20-0x0000000005E40000-0x0000000006197000-memory.dmp

memory/3152-21-0x0000000006350000-0x000000000636E000-memory.dmp

memory/3152-22-0x0000000006380000-0x00000000063CC000-memory.dmp

memory/3152-23-0x0000000006900000-0x0000000006946000-memory.dmp

memory/3152-24-0x0000000007780000-0x00000000077B4000-memory.dmp

memory/3152-25-0x0000000074510000-0x0000000074CC1000-memory.dmp

memory/3152-26-0x0000000070780000-0x00000000707CC000-memory.dmp

memory/3152-27-0x00000000709D0000-0x0000000070D27000-memory.dmp

memory/3152-38-0x0000000074510000-0x0000000074CC1000-memory.dmp

memory/3152-37-0x00000000077E0000-0x0000000007884000-memory.dmp

memory/3152-36-0x00000000077C0000-0x00000000077DE000-memory.dmp

memory/3152-40-0x0000000007910000-0x000000000792A000-memory.dmp

memory/3152-39-0x0000000007F50000-0x00000000085CA000-memory.dmp

memory/3152-41-0x0000000007950000-0x000000000795A000-memory.dmp

memory/3152-42-0x0000000007A60000-0x0000000007AF6000-memory.dmp

memory/3152-43-0x0000000007970000-0x0000000007981000-memory.dmp

memory/3152-44-0x00000000079C0000-0x00000000079CE000-memory.dmp

memory/3152-45-0x00000000079D0000-0x00000000079E5000-memory.dmp

memory/3152-46-0x0000000007A20000-0x0000000007A3A000-memory.dmp

memory/3152-47-0x0000000007A00000-0x0000000007A08000-memory.dmp

memory/3152-50-0x0000000074510000-0x0000000074CC1000-memory.dmp

memory/2528-52-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2528-53-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/1836-55-0x0000000002A20000-0x0000000002E27000-memory.dmp

memory/4964-64-0x0000000005CC0000-0x0000000006017000-memory.dmp

memory/4964-65-0x0000000006200000-0x000000000624C000-memory.dmp

memory/4964-66-0x0000000070890000-0x00000000708DC000-memory.dmp

memory/4964-67-0x0000000070A10000-0x0000000070D67000-memory.dmp

memory/4964-76-0x00000000073C0000-0x0000000007464000-memory.dmp

memory/4964-77-0x00000000076F0000-0x0000000007701000-memory.dmp

memory/4964-78-0x0000000007740000-0x0000000007755000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3220-82-0x0000000005BE0000-0x0000000005F37000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6787ed69725d8bfc4f640dfc736af6df
SHA1 4da45c9670246f6c530c3e6c13fc23ab19ebf2c7
SHA256 ca6ca14928ffe9515176f287e6830704500ac41cb652ff1d87b16b769c960841
SHA512 47fd41e6bfc3d0bdd3862b78150f2e8c896b006a60a32e2c93e998e1b0a0948e56d51d9b534cd002c7f479110a46c14b7987041358362c60f1d44efe35822849

memory/3220-93-0x0000000070AE0000-0x0000000070E37000-memory.dmp

memory/3220-92-0x0000000070890000-0x00000000708DC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 58a72bbaf4ea79a35a2ca9ca2ee1f645
SHA1 a36f4636d0b157c71b328c53bbc4e4270d27cca7
SHA256 9ef1b315533c919a284e8e4f9489ae9e38c2de76100bc0dd0edf3a96fd7ad9d1
SHA512 00388ed4bbaee37b5dc9ada16e3f306600e7b6ddfdd6b9bf254defe8dfbfd799b9fe1c41a1c3167c58f3158cfc8fb34db350788cc9a4694fcb8cf0602deaeabb

memory/3124-112-0x0000000070890000-0x00000000708DC000-memory.dmp

memory/3124-113-0x0000000070AE0000-0x0000000070E37000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 8138c6f377a0a3169c6ccd074b5c8f86
SHA1 d29f58c813da21c931fc6fa432414221127884f6
SHA256 ea9192da8bf60812d5cdc7765125ffc23491139cbc7783e016adcd65674a2b0a
SHA512 3547d7f938839c8e0bf7aa2166d5db000b0cd4d1c40393420ed054173729a8386601174760bc39684c4522f9978fc2b58eae2ac25c018d8eb49dda941c627b9d

memory/1836-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3884-137-0x0000000006270000-0x00000000065C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8c390da4537fe675d1c75548f7803143
SHA1 2f1ab7f62c89a89bb9e7cb35de394c8efecd4467
SHA256 dc7904a9515b7bc6d5b7bc7e89bdaacb181ce861e6b269fbf1d28e707e4f582e
SHA512 9cd0e0b9d0151b0fb48a5c9ab1fc4dafdb79e18d0764cbebd462ff4bbb361e7f2c0dee04c90bcb05ec4362494956f1c14c106ef1f00fa2d614e1600f71dddfad

memory/3884-139-0x0000000006820000-0x000000000686C000-memory.dmp

memory/3884-140-0x00000000707F0000-0x000000007083C000-memory.dmp

memory/3884-141-0x0000000070970000-0x0000000070CC7000-memory.dmp

memory/3884-150-0x00000000079F0000-0x0000000007A94000-memory.dmp

memory/3884-151-0x0000000007D60000-0x0000000007D71000-memory.dmp

memory/3884-152-0x00000000061D0000-0x00000000061E5000-memory.dmp

memory/1624-162-0x00000000060B0000-0x0000000006407000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d3f45fb6c3789586d228200def536555
SHA1 633fa756529befdcd431e2fd1a8772db69cb5ff5
SHA256 45f5e1c2b72e4073855c7c73972a6b545816baa831f16c18c6d8aac6bace0fba
SHA512 59445e0fda0b32e2ec140946bc11dfb642beb95d256e0e82fcdadbff2fb11b2e7f374fca28b68b081666b018463482e331172273629c494324420a941bed359c

memory/1624-164-0x0000000006910000-0x000000000695C000-memory.dmp

memory/1624-165-0x0000000070710000-0x000000007075C000-memory.dmp

memory/1624-166-0x0000000070890000-0x0000000070BE7000-memory.dmp

memory/1624-175-0x0000000007830000-0x00000000078D4000-memory.dmp

memory/1624-176-0x0000000005FD0000-0x0000000005FE1000-memory.dmp

memory/1624-177-0x0000000006410000-0x0000000006425000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dcfa4fd1673a5c8a7182cd095fdd2b8d
SHA1 aa0770d853dadf19785ff8921513544f9a556681
SHA256 382577a923da339ff19b0f9fb3b56d2caf31ed8d20717e0cb3678b0352b2fde4
SHA512 53147f589f41faf4790feae083ee848d80f48702b8f35c0021a755951af97ef3dbff4af1aefeb502011211b4d6bf0cba2425c2306c8cd8adc22b3e8931517102

memory/4092-188-0x0000000070710000-0x000000007075C000-memory.dmp

memory/4092-189-0x0000000070890000-0x0000000070BE7000-memory.dmp

memory/1068-198-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1004-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1068-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3980-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1004-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1068-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3980-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1068-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1068-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3980-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1068-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1068-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1068-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1068-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1068-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1068-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1068-233-0x0000000000400000-0x0000000000D1C000-memory.dmp