Malware Analysis Report

2025-01-02 06:27

Sample ID 240516-mfxnzsge67
Target 9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67
SHA256 9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67

Threat Level: Known bad

The file 9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 10:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 10:25

Reported

2024-05-16 10:27

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3400 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\system32\cmd.exe
PID 5000 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\system32\cmd.exe
PID 3992 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3992 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5000 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\rss\csrss.exe
PID 5000 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\rss\csrss.exe
PID 5000 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\rss\csrss.exe
PID 5112 wrote to memory of 2496 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2496 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2496 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2356 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2356 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2356 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 4848 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 4848 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 4848 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 320 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5112 wrote to memory of 320 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 884 wrote to memory of 2964 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 2964 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 2964 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2964 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2964 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe

"C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe

"C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 52c1a9af-ddae-4057-8983-4cf56709587f.uuid.myfastupdate.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server4.myfastupdate.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server4.myfastupdate.org tcp
US 74.125.250.129:19302 stun3.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server4.myfastupdate.org tcp
BG 185.82.216.111:443 server4.myfastupdate.org tcp

Files

memory/3400-1-0x0000000002AE0000-0x0000000002EE2000-memory.dmp

memory/3400-2-0x0000000002EF0000-0x00000000037DB000-memory.dmp

memory/3400-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3400-4-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5072-5-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

memory/5072-6-0x0000000005280000-0x00000000052B6000-memory.dmp

memory/5072-7-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/5072-8-0x0000000005900000-0x0000000005F28000-memory.dmp

memory/5072-9-0x0000000005880000-0x00000000058A2000-memory.dmp

memory/5072-10-0x0000000005FA0000-0x0000000006006000-memory.dmp

memory/5072-11-0x0000000006180000-0x00000000061E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vun1mk1v.c5x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5072-17-0x0000000006230000-0x0000000006584000-memory.dmp

memory/5072-22-0x0000000006870000-0x000000000688E000-memory.dmp

memory/5072-23-0x0000000006B00000-0x0000000006B4C000-memory.dmp

memory/3400-24-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3400-25-0x0000000002AE0000-0x0000000002EE2000-memory.dmp

memory/5072-26-0x0000000006C90000-0x0000000006CD4000-memory.dmp

memory/3400-27-0x0000000002EF0000-0x00000000037DB000-memory.dmp

memory/5072-28-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/5072-29-0x0000000007B80000-0x0000000007BF6000-memory.dmp

memory/5072-30-0x0000000008300000-0x000000000897A000-memory.dmp

memory/5072-31-0x0000000007CB0000-0x0000000007CCA000-memory.dmp

memory/5072-32-0x0000000007E90000-0x0000000007EC2000-memory.dmp

memory/5072-33-0x00000000709D0000-0x0000000070A1C000-memory.dmp

memory/3400-34-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5072-35-0x0000000070DA0000-0x00000000710F4000-memory.dmp

memory/5072-45-0x0000000007E70000-0x0000000007E8E000-memory.dmp

memory/5072-47-0x0000000007ED0000-0x0000000007F73000-memory.dmp

memory/5072-46-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/5072-48-0x0000000007FC0000-0x0000000007FCA000-memory.dmp

memory/5072-49-0x0000000008080000-0x0000000008116000-memory.dmp

memory/5072-50-0x0000000007FE0000-0x0000000007FF1000-memory.dmp

memory/5072-51-0x0000000008020000-0x000000000802E000-memory.dmp

memory/5072-52-0x0000000008030000-0x0000000008044000-memory.dmp

memory/3400-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5072-54-0x0000000008120000-0x000000000813A000-memory.dmp

memory/5072-55-0x0000000008060000-0x0000000008068000-memory.dmp

memory/5072-58-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/3400-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5000-61-0x00000000029E0000-0x0000000002DD9000-memory.dmp

memory/4496-63-0x0000000005600000-0x0000000005954000-memory.dmp

memory/4496-72-0x0000000005C80000-0x0000000005CCC000-memory.dmp

memory/4496-73-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/4496-74-0x0000000071290000-0x00000000715E4000-memory.dmp

memory/4496-84-0x0000000006E30000-0x0000000006ED3000-memory.dmp

memory/4496-85-0x0000000007150000-0x0000000007161000-memory.dmp

memory/4496-86-0x00000000071C0000-0x00000000071D4000-memory.dmp

memory/5000-89-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4240-100-0x0000000005AD0000-0x0000000005E24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f7034013769d9329d0bfa6ea83387914
SHA1 7cb3cae7de922b4fe00894ee54e20976706c8e83
SHA256 92ad9117875d77f284cc2b0055a9884ee54ef4f8f3459378dc95634fce8c0304
SHA512 124c0832a1316ed6509ff664f9a25e901fbd1a2741103e30029955a29f34cf57fdf499057ccff18c5d37e92d0ae82737caba05725097346cf83262061f4e5936

memory/4240-102-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/4240-103-0x0000000071270000-0x00000000715C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b85ee1278f032e6bbd0cfbdd6b8bca60
SHA1 61297c3ec849aaeee33129521a8cbe5ccc791dc5
SHA256 45f5d0fa7f6cc4cfb27e816fd814cfbc1a91315fb4a8a5c67ab11e3e8af29cfd
SHA512 1451b3a0bdfa2b1d829fffdfadef7ed6e3585a71ee6159f113a8518b2ce4f98c597324b8e9761803d70bdf93088de0cc16fbed5d12b4595565c9cd69cc66a8cc

memory/5064-124-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/5064-125-0x0000000071270000-0x00000000715C4000-memory.dmp

memory/5000-135-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ec673fca266176ed0324b61c6e20e8d4
SHA1 a4b116c4b781c6b3cc2825972045226c5325cc01
SHA256 9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67
SHA512 4668228725ff07bdbdae15e5f3276271cf5a8055f4b211ff11c57b732e74829a9e9d22096689b01216a78a3cba22465403af61d7117398edd541a81b30b4702f

memory/5000-140-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2496-152-0x0000000005ED0000-0x0000000006224000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6509d8e9a6ca63156a09aa025b9bda98
SHA1 12b9dedc463944516a1027f61f892bcba2a45a97
SHA256 65e2910ea2b840702455594c29b108534f88b93d2267bc1a03024c616a7b3dcf
SHA512 df03b286289b6a9b084dea297c8f449481800befe858219ac183e4233e9bec384044bb985347888b9f23ecb9a88978332b6c297de83af76dbccbd5d1afbdcef4

memory/2496-154-0x00000000069D0000-0x0000000006A1C000-memory.dmp

memory/2496-155-0x0000000070A30000-0x0000000070A7C000-memory.dmp

memory/2496-156-0x0000000070BE0000-0x0000000070F34000-memory.dmp

memory/2496-166-0x0000000007710000-0x00000000077B3000-memory.dmp

memory/2496-167-0x00000000079E0000-0x00000000079F1000-memory.dmp

memory/2496-168-0x0000000006250000-0x0000000006264000-memory.dmp

memory/2356-179-0x00000000057D0000-0x0000000005B24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7b0f981bafb7bfaa58a493ee79b8ea25
SHA1 52fda8f675b84ead340e88841ed9b3d1dd87f0f7
SHA256 6ecb89bd1f201d821727c62d6799c9040d2f50b537ff7bda1ddf2fe37cc8462d
SHA512 b560ced3f2feedb6b5ba50e48ed6d545f6e11a92744a57d3cea5da43b2e39a2b54bcd90147c7b92e476620b8a9b3e3e5b44224be150de1652ee0873f64f59c04

memory/2356-181-0x0000000006240000-0x000000000628C000-memory.dmp

memory/2356-182-0x0000000070950000-0x000000007099C000-memory.dmp

memory/2356-183-0x0000000070AD0000-0x0000000070E24000-memory.dmp

memory/2356-193-0x0000000006F30000-0x0000000006FD3000-memory.dmp

memory/5112-194-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2356-195-0x00000000072A0000-0x00000000072B1000-memory.dmp

memory/2356-196-0x0000000005540000-0x0000000005554000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c0fe9a9bb726fd202fa63cb40fc49860
SHA1 f3a77d150c2aad9accfde26557a6046f7540285f
SHA256 3ff81bb398bea5df770d9ea932472d5c5f8e6ef070e3f7935b53a09a961b0936
SHA512 75a923757ea7e623a33fcb8a59fd98b79ee75c8ed334e6e92bdf0c5e7031e206b5df4429f52578488a6abd33016443731c40ae2dd100aad3877c98a7ab04b342

memory/4848-208-0x0000000070950000-0x000000007099C000-memory.dmp

memory/4848-209-0x0000000070AD0000-0x0000000070E24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/5112-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/884-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/884-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5112-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3720-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5112-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5112-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3720-240-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5112-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5112-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5112-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3720-246-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5112-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 10:25

Reported

2024-05-16 10:27

Platform

win11-20240426-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\system32\cmd.exe
PID 4804 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\system32\cmd.exe
PID 1844 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1844 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4804 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\rss\csrss.exe
PID 4804 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\rss\csrss.exe
PID 4804 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe C:\Windows\rss\csrss.exe
PID 3784 wrote to memory of 128 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 128 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 128 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 2728 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 2728 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 2728 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 4672 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 4672 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 4672 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 1244 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3784 wrote to memory of 1244 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4408 wrote to memory of 3924 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 3924 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 3924 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3924 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3924 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3924 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe

"C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe

"C:\Users\Admin\AppData\Local\Temp\9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 033541dd-6136-45bb-acad-b1b4c839682d.uuid.myfastupdate.org udp
US 8.8.8.8:53 server4.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.111:443 server4.myfastupdate.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server4.myfastupdate.org tcp
BG 185.82.216.111:443 server4.myfastupdate.org tcp
BG 185.82.216.111:443 server4.myfastupdate.org tcp

Files

memory/3024-1-0x0000000002A30000-0x0000000002E2E000-memory.dmp

memory/3024-2-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/3024-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2704-4-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

memory/2704-5-0x0000000004CD0000-0x0000000004D06000-memory.dmp

memory/2704-7-0x0000000073F40000-0x00000000746F1000-memory.dmp

memory/2704-6-0x00000000053D0000-0x00000000059FA000-memory.dmp

memory/2704-8-0x0000000073F40000-0x00000000746F1000-memory.dmp

memory/2704-10-0x0000000005B70000-0x0000000005BD6000-memory.dmp

memory/2704-11-0x0000000005BE0000-0x0000000005C46000-memory.dmp

memory/2704-9-0x0000000005290000-0x00000000052B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ybtoafzd.krc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2704-20-0x0000000005C50000-0x0000000005FA7000-memory.dmp

memory/2704-21-0x0000000006140000-0x000000000615E000-memory.dmp

memory/2704-22-0x0000000006190000-0x00000000061DC000-memory.dmp

memory/2704-23-0x00000000066C0000-0x0000000006706000-memory.dmp

memory/2704-25-0x00000000701B0000-0x00000000701FC000-memory.dmp

memory/2704-26-0x0000000070340000-0x0000000070697000-memory.dmp

memory/2704-37-0x00000000075D0000-0x0000000007674000-memory.dmp

memory/2704-36-0x0000000073F40000-0x00000000746F1000-memory.dmp

memory/2704-35-0x00000000075B0000-0x00000000075CE000-memory.dmp

memory/2704-24-0x0000000007570000-0x00000000075A4000-memory.dmp

memory/2704-38-0x0000000007D40000-0x00000000083BA000-memory.dmp

memory/2704-39-0x0000000007700000-0x000000000771A000-memory.dmp

memory/2704-40-0x0000000073F40000-0x00000000746F1000-memory.dmp

memory/2704-41-0x0000000007740000-0x000000000774A000-memory.dmp

memory/2704-42-0x0000000007850000-0x00000000078E6000-memory.dmp

memory/2704-43-0x0000000007760000-0x0000000007771000-memory.dmp

memory/2704-44-0x00000000077B0000-0x00000000077BE000-memory.dmp

memory/2704-45-0x00000000077C0000-0x00000000077D5000-memory.dmp

memory/2704-46-0x0000000007810000-0x000000000782A000-memory.dmp

memory/2704-47-0x0000000007830000-0x0000000007838000-memory.dmp

memory/2704-50-0x0000000073F40000-0x00000000746F1000-memory.dmp

memory/4804-52-0x0000000002A20000-0x0000000002E22000-memory.dmp

memory/4300-61-0x0000000005720000-0x0000000005A77000-memory.dmp

memory/4300-63-0x00000000703C0000-0x0000000070717000-memory.dmp

memory/4300-72-0x0000000006E90000-0x0000000006F34000-memory.dmp

memory/4300-62-0x00000000701B0000-0x00000000701FC000-memory.dmp

memory/4300-73-0x00000000071C0000-0x00000000071D1000-memory.dmp

memory/4300-74-0x0000000007210000-0x0000000007225000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3780-86-0x0000000005710000-0x0000000005A67000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3815d3087a38efeccf409ba2b148b754
SHA1 465e36db832e2f68f11f45bbb6aaa4aa1e2927dc
SHA256 a1305b9187a9a13501e00a4b522de896024ecd2c8ad4cdc94144ff63c1575c19
SHA512 11cc16ca36aa92a652d556de02c594873fefa04920ec6744fe7c9d35d180ff605ced1ef1037fc87e63efaacf4549b752f16d6cdd53abac63fd13363f1eedad08

memory/3780-89-0x0000000070350000-0x00000000706A7000-memory.dmp

memory/3780-88-0x00000000701B0000-0x00000000701FC000-memory.dmp

memory/3024-99-0x0000000002A30000-0x0000000002E2E000-memory.dmp

memory/3024-98-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3024-100-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/2660-110-0x00000000055F0000-0x0000000005947000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c2d7bc7f55943ecce6766ee5832e9eb7
SHA1 3da528c7e252f9b0326b6081357f6e0a1033c9eb
SHA256 cd69f5cedebe59725d7b0785185141022a7c07cb5cf3ff34956130f795831363
SHA512 ac44af6e1acb7f09427dcd09d672f89bb9c4aa788b54fb0251b83ee1fc2511aeedf6a193b1179d5d607e32616ce46ae556d6420fe68c6631a9ece7c8062d1dbd

memory/2660-112-0x00000000701B0000-0x00000000701FC000-memory.dmp

memory/2660-113-0x0000000070400000-0x0000000070757000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ec673fca266176ed0324b61c6e20e8d4
SHA1 a4b116c4b781c6b3cc2825972045226c5325cc01
SHA256 9319ecf68e0e7e20df46c53fb9fddcba920be61bcbe56814ecb567922cbb9c67
SHA512 4668228725ff07bdbdae15e5f3276271cf5a8055f4b211ff11c57b732e74829a9e9d22096689b01216a78a3cba22465403af61d7117398edd541a81b30b4702f

memory/4804-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cf7ed637dfb67a1471e72ccefd2b01a6
SHA1 027244b4e37f5f252929579c010c9372f5ae5cb2
SHA256 9b1d680296fcccce42a2d644a701f5458d39b5f1770e9d82e0a3ba3d6a2d5ed8
SHA512 76c94eb3b5292b17443452f0fbbcbbecae004e756720226736456fc54380360d38db3a615b30099ed2ebb2de6e1beb6eb48bef1cee062dc6a2b0921147a14b56

memory/128-138-0x00000000701B0000-0x00000000701FC000-memory.dmp

memory/128-139-0x0000000070400000-0x0000000070757000-memory.dmp

memory/2728-158-0x0000000005D80000-0x00000000060D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3ccedba99c40041a41a58766a1660aef
SHA1 7f96ab6aec56b6117b42a49b7f0cc0f0999fece8
SHA256 72ae6f5c820d9ebd56e8dcc6020a0acb4f1b6320d50533ae1ee27979790e41db
SHA512 f585cf7531b75381dfb37176a3881e80b3c036424309f3e35d7f33a1df7b3e80ab3bcb850615d6e0abd236eb57577005784eefa2d984aa0dbe665473512e8ec7

memory/2728-160-0x0000000006330000-0x000000000637C000-memory.dmp

memory/2728-162-0x0000000070250000-0x00000000705A7000-memory.dmp

memory/2728-161-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/2728-171-0x0000000007590000-0x0000000007634000-memory.dmp

memory/2728-172-0x00000000078E0000-0x00000000078F1000-memory.dmp

memory/2728-173-0x0000000006100000-0x0000000006115000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 88d02fa1eafa494dd69e11a8f86ea446
SHA1 bd21c48ac4ebfbd697c1f447f5d7e66dddbdba9d
SHA256 6fcced166c4a201c6af9a41c88686aec31bb0c0c98372ccd97163b947a009266
SHA512 05066eeb560d11976cce96caccdf52280b1dbd1bfd32f50f4360aa35c6ad7b1088b38dc5d70a1c526686a186d1bba3841efeba068e08a8bcf44548148e9b200f

memory/4672-184-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/4672-185-0x0000000070340000-0x0000000070697000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3784-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4408-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3840-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3784-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4408-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3840-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3784-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3784-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3840-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3784-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3784-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3784-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3784-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3784-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3784-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3784-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3784-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3784-243-0x0000000000400000-0x0000000000D1C000-memory.dmp