Malware Analysis Report

2025-01-02 06:27

Sample ID 240516-mnp9waha34
Target 63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe
SHA256 63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe

Threat Level: Known bad

The file 63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 10:36

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 10:36

Reported

2024-05-16 10:39

Platform

win11-20240426-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\system32\cmd.exe
PID 776 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\system32\cmd.exe
PID 4416 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4416 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 776 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 776 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\rss\csrss.exe
PID 776 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\rss\csrss.exe
PID 776 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\rss\csrss.exe
PID 4304 wrote to memory of 2360 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 2360 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 2360 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 2288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 2288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 2288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 4612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 4612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 4612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 4656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4304 wrote to memory of 4656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3324 wrote to memory of 2712 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 2712 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 2712 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2712 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2712 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe

"C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe

"C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 e2323215-f70c-49f2-8331-db56c6a13209.uuid.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server9.datadumpcloud.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server9.datadumpcloud.org tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.104:443 server9.datadumpcloud.org tcp
NL 52.111.243.31:443 tcp
BG 185.82.216.104:443 server9.datadumpcloud.org tcp

Files

memory/4068-1-0x0000000002A20000-0x0000000002E20000-memory.dmp

memory/4068-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/4068-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/572-4-0x00000000740DE000-0x00000000740DF000-memory.dmp

memory/572-5-0x0000000004AE0000-0x0000000004B16000-memory.dmp

memory/572-6-0x00000000051A0000-0x00000000057CA000-memory.dmp

memory/572-7-0x00000000740D0000-0x0000000074881000-memory.dmp

memory/572-8-0x00000000740D0000-0x0000000074881000-memory.dmp

memory/572-9-0x00000000050B0000-0x00000000050D2000-memory.dmp

memory/572-10-0x00000000058D0000-0x0000000005936000-memory.dmp

memory/572-11-0x0000000005940000-0x00000000059A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jwizlu1u.omu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/572-20-0x0000000005A30000-0x0000000005D87000-memory.dmp

memory/572-21-0x0000000005F70000-0x0000000005F8E000-memory.dmp

memory/572-22-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

memory/572-23-0x00000000070F0000-0x0000000007136000-memory.dmp

memory/572-24-0x00000000073A0000-0x00000000073D4000-memory.dmp

memory/572-35-0x00000000073E0000-0x00000000073FE000-memory.dmp

memory/572-26-0x00000000704C0000-0x0000000070817000-memory.dmp

memory/572-25-0x0000000070340000-0x000000007038C000-memory.dmp

memory/572-36-0x0000000007400000-0x00000000074A4000-memory.dmp

memory/572-37-0x00000000740D0000-0x0000000074881000-memory.dmp

memory/572-38-0x00000000740D0000-0x0000000074881000-memory.dmp

memory/572-39-0x0000000007B70000-0x00000000081EA000-memory.dmp

memory/572-40-0x0000000007520000-0x000000000753A000-memory.dmp

memory/572-41-0x0000000007560000-0x000000000756A000-memory.dmp

memory/572-42-0x0000000007670000-0x0000000007706000-memory.dmp

memory/572-43-0x0000000007590000-0x00000000075A1000-memory.dmp

memory/572-44-0x00000000075D0000-0x00000000075DE000-memory.dmp

memory/572-45-0x00000000075E0000-0x00000000075F5000-memory.dmp

memory/572-46-0x0000000007630000-0x000000000764A000-memory.dmp

memory/572-47-0x0000000007650000-0x0000000007658000-memory.dmp

memory/572-50-0x00000000740D0000-0x0000000074881000-memory.dmp

memory/776-53-0x0000000002A40000-0x0000000002E48000-memory.dmp

memory/4068-52-0x0000000002A20000-0x0000000002E20000-memory.dmp

memory/1012-62-0x0000000006370000-0x00000000066C7000-memory.dmp

memory/1012-63-0x0000000070340000-0x000000007038C000-memory.dmp

memory/1012-64-0x0000000070550000-0x00000000708A7000-memory.dmp

memory/1012-73-0x0000000007AC0000-0x0000000007B64000-memory.dmp

memory/1012-74-0x0000000007DF0000-0x0000000007E01000-memory.dmp

memory/4068-75-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/1012-76-0x0000000007E40000-0x0000000007E55000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c352d72d8e92168b73fc6127e2bffb5a
SHA1 75750791e131fcf2ee09ac16115315aee457ef27
SHA256 37fb47bd50c6a2925d7e7444b40576408e6db551af7205638af9d23d26132485
SHA512 45faa35ede5eb39285aa77d5ab31e12cb2833d8b4d74a0235c7c05601efa1eec3c2ac91097928458f8e183f4f76759aca5af669ce7eb6eb89dbb5302342ba50b

memory/3452-89-0x0000000070340000-0x000000007038C000-memory.dmp

memory/3452-90-0x00000000704C0000-0x0000000070817000-memory.dmp

memory/4068-99-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e9b6a7aaad9b99df42f01f4502185ea7
SHA1 dac32891aef5321da35b63f6748be0873448d7c6
SHA256 7d331e91c1de5042f2e40e327324088f753295d7065c1a45bb1d3aa962816174
SHA512 ff442af972522f57449686da79e61f0b1135805aa18e9a1948598e502ad2161b4f7e2b005764c1bcf246782a8f46627fdc3ebb8b76360e313501adbc89d53abf

memory/1428-110-0x0000000070340000-0x000000007038C000-memory.dmp

memory/1428-111-0x0000000070550000-0x00000000708A7000-memory.dmp

memory/776-124-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 aee2c22e4314fbb67d91cd59ccfd1bef
SHA1 217182b4b27f675e49ccb59621ea6ce5ca212288
SHA256 63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe
SHA512 0b1391a78fe8be2413f6f431b297e35e78f8cbd22b9e715bb86f6dba6fe4ef2b45cccb3a6bd280b570926f4cc7dab4329f34de6c56b8e9107859175edd831cd3

memory/2360-129-0x0000000006430000-0x0000000006787000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c353d8c4f1d6a023e8fb6bc8f56bafc2
SHA1 e68e34dae4dfad5b387dcdaf8251109ac5937fe5
SHA256 417b6799ac18d5e3a94a0c5448352bb718348c804cb9949c8c538cd27f602938
SHA512 623a193b9af5d036428df9088c9b353e3e9bc8aa638a230aa7121a2a202aa55200f04be999a255f21bccef96599f20edfe20c819f15861d7862ec5dbaaa5f54d

memory/2360-137-0x0000000070340000-0x000000007038C000-memory.dmp

memory/2360-138-0x0000000070590000-0x00000000708E7000-memory.dmp

memory/2288-156-0x0000000005AB0000-0x0000000005E07000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5de99d641a39cd18f73cf38e216045af
SHA1 77d41a4eabf5ade0bef05fcfb2e4ac49bf4ce562
SHA256 aadbc6ea2d8537db9ab90fb7cc17612a0330439c617b93e55f19c3772ce82623
SHA512 c4420a91d84727e2a74a32c17795859f9e72c3240b20869caae4742801835fa48b073ea16a9da7e27556edcfc13a414c8b3664c0244ce42435959a9598dbbdc9

memory/2288-158-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

memory/2288-159-0x0000000070260000-0x00000000702AC000-memory.dmp

memory/2288-169-0x00000000071D0000-0x0000000007274000-memory.dmp

memory/2288-160-0x00000000703E0000-0x0000000070737000-memory.dmp

memory/2288-170-0x00000000073C0000-0x00000000073D1000-memory.dmp

memory/2288-171-0x0000000005980000-0x0000000005995000-memory.dmp

memory/4612-182-0x0000000006090000-0x00000000063E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0026da381b9125d0d34e175bab8c9637
SHA1 1fac4197ea3a036eb5b7e04196d0288f3360ec81
SHA256 5b4b5416235266d7fdeda43f7f133931e75bd0a51cf14686025ade547117e6c7
SHA512 3e96624186d81ddfd92fe2b7f05e4fc2b3d05b27f71c652b9d6ba6af134bc144a195e5ea276888703d1b748143f9574cf423082eaa4c24c7f6eca49dab7be1e0

memory/4612-184-0x0000000070260000-0x00000000702AC000-memory.dmp

memory/4612-185-0x00000000703F0000-0x0000000070747000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4304-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3324-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3324-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4304-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4864-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4304-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4304-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4864-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4304-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4304-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4304-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4864-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4304-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4304-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4304-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4304-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4304-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4304-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 10:36

Reported

2024-05-16 10:39

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\system32\cmd.exe
PID 4976 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\system32\cmd.exe
PID 3252 wrote to memory of 4596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3252 wrote to memory of 4596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4976 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\rss\csrss.exe
PID 4976 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\rss\csrss.exe
PID 4976 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe C:\Windows\rss\csrss.exe
PID 4988 wrote to memory of 4816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4988 wrote to memory of 4816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4988 wrote to memory of 4816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4988 wrote to memory of 1140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4988 wrote to memory of 1140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4988 wrote to memory of 1140 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4988 wrote to memory of 3228 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4988 wrote to memory of 3228 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4988 wrote to memory of 3228 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4988 wrote to memory of 392 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4988 wrote to memory of 392 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1676 wrote to memory of 2616 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2616 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2616 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2616 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2616 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe

"C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe

"C:\Users\Admin\AppData\Local\Temp\63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.58:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.61.62.23.in-addr.arpa udp
NL 23.62.61.58:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 6ac17af1-b2d5-4131-aa11-943fc6247eb5.uuid.datadumpcloud.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server15.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.104:443 server15.datadumpcloud.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
BG 185.82.216.104:443 server15.datadumpcloud.org tcp
US 8.8.8.8:53 stun4.l.google.com udp
US 74.125.250.129:19302 stun4.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.104:443 server15.datadumpcloud.org tcp

Files

memory/4936-1-0x0000000002920000-0x0000000002D20000-memory.dmp

memory/4936-2-0x0000000002D20000-0x000000000360B000-memory.dmp

memory/4936-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3964-4-0x00000000746FE000-0x00000000746FF000-memory.dmp

memory/3964-5-0x0000000005110000-0x0000000005146000-memory.dmp

memory/3964-7-0x0000000005830000-0x0000000005E58000-memory.dmp

memory/3964-6-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/3964-8-0x0000000005720000-0x0000000005742000-memory.dmp

memory/3964-10-0x0000000005F90000-0x0000000005FF6000-memory.dmp

memory/3964-11-0x00000000746F0000-0x0000000074EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uqgughi1.ahq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3964-9-0x00000000057C0000-0x0000000005826000-memory.dmp

memory/3964-21-0x0000000006100000-0x0000000006454000-memory.dmp

memory/3964-22-0x00000000066B0000-0x00000000066CE000-memory.dmp

memory/3964-23-0x00000000066F0000-0x000000000673C000-memory.dmp

memory/3964-24-0x0000000006C20000-0x0000000006C64000-memory.dmp

memory/3964-25-0x0000000007800000-0x0000000007876000-memory.dmp

memory/3964-26-0x0000000008100000-0x000000000877A000-memory.dmp

memory/3964-27-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

memory/3964-30-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/3964-29-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/3964-28-0x0000000007C50000-0x0000000007C82000-memory.dmp

memory/3964-31-0x0000000070D10000-0x0000000071064000-memory.dmp

memory/3964-41-0x0000000007C90000-0x0000000007CAE000-memory.dmp

memory/3964-42-0x0000000007CB0000-0x0000000007D53000-memory.dmp

memory/3964-43-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/3964-44-0x0000000007DA0000-0x0000000007DAA000-memory.dmp

memory/3964-45-0x0000000007ED0000-0x0000000007F66000-memory.dmp

memory/3964-46-0x0000000007DD0000-0x0000000007DE1000-memory.dmp

memory/3964-47-0x0000000007E10000-0x0000000007E1E000-memory.dmp

memory/3964-48-0x0000000007E30000-0x0000000007E44000-memory.dmp

memory/3964-49-0x0000000007E80000-0x0000000007E9A000-memory.dmp

memory/3964-50-0x0000000007E70000-0x0000000007E78000-memory.dmp

memory/3964-53-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4976-55-0x0000000002990000-0x0000000002D90000-memory.dmp

memory/4480-65-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/4480-66-0x0000000070D10000-0x0000000071064000-memory.dmp

memory/4480-76-0x0000000007400000-0x00000000074A3000-memory.dmp

memory/4480-77-0x0000000007740000-0x0000000007751000-memory.dmp

memory/4480-78-0x0000000007790000-0x00000000077A4000-memory.dmp

memory/4936-79-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4936-80-0x0000000002920000-0x0000000002D20000-memory.dmp

memory/4936-81-0x0000000002D20000-0x000000000360B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4808-94-0x00000000063B0000-0x0000000006704000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 85247aa76c740e653d9a6a4c81cbc4bc
SHA1 38f3b3acb8d4345a1b5fffaa6e894d7103cf1625
SHA256 5b733226803262ecc0818c1b730d5953910ee5ce7842098d61c8915524f63688
SHA512 255d302e84901834864822b68c31bde99c9c8e9a160f11d250e3b29d9d9fc6e5a8654b59974c61eef20524f8ec1c76515e9ebd0884958df1559b69d4eddb2423

memory/4808-96-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/4808-97-0x0000000070710000-0x0000000070A64000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7f5e91fe13380b1797b347dd6f82300a
SHA1 41aa923e744d8679af7e44fcbe104ed440273481
SHA256 24ac0f246ff700dc53dce17a9e3ffd6873ee54423233dc0b2cbcf0aca814ed69
SHA512 41e9537c0478d9cc5981e09e0c2c73cd4aceab0530447bfb0c10b173671df7275a3a5f6e3593deb1983dff1b60b243cb9eb9f0e7ee1e92052859e2098ae96c22

memory/4668-118-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/4668-119-0x0000000070710000-0x0000000070A64000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 aee2c22e4314fbb67d91cd59ccfd1bef
SHA1 217182b4b27f675e49ccb59621ea6ce5ca212288
SHA256 63b205f7789f73e8a39eea8af4a7621404f86d47f073507d6557809bb5b661fe
SHA512 0b1391a78fe8be2413f6f431b297e35e78f8cbd22b9e715bb86f6dba6fe4ef2b45cccb3a6bd280b570926f4cc7dab4329f34de6c56b8e9107859175edd831cd3

memory/4976-134-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f1bccb1a6f2566e6a5e170e44ece4e0d
SHA1 f9345b74aefd952c75f7b044c1562d7501a042c0
SHA256 dac8caff2e39592ba21b358bba4b9142e4834d95103aeb10dfef5f1116c0139c
SHA512 0f5ba4482b92315b075b54d549e499adb640f625eea57c221b4f5b7d6a863b67282a57cfec719249f59c92478e4aefad9f2599b81faee2206622751c31ccbba3

memory/4816-147-0x0000000070710000-0x0000000070A64000-memory.dmp

memory/4816-146-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/1140-167-0x0000000006250000-0x00000000065A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 023dc6085f06d4c70f1320944cbcd017
SHA1 168484950618eeeb56af64e7282e25138c6df50a
SHA256 c14c82bb0a93f783d11f39d777dd944292d34a89c2824a10df916716a8a981c2
SHA512 332c26a8c5e5ee6a3f997994c4e67581a65a5fc2454f9feee47440b8715e61faaa2838fb20da09b42455e90c96b54c304a2ae4f7582c5c99c29a742055e21c56

memory/1140-169-0x0000000006DF0000-0x0000000006E3C000-memory.dmp

memory/1140-172-0x0000000070640000-0x0000000070994000-memory.dmp

memory/1140-171-0x00000000704B0000-0x00000000704FC000-memory.dmp

memory/1140-182-0x0000000007AF0000-0x0000000007B93000-memory.dmp

memory/1140-183-0x0000000007E00000-0x0000000007E11000-memory.dmp

memory/1140-184-0x00000000061B0000-0x00000000061C4000-memory.dmp

memory/3228-195-0x0000000005FC0000-0x0000000006314000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 efb6bb3bb7851134de1d4d4eecfe44e4
SHA1 bb96624570db0e39d2dea1f104241cfe40859441
SHA256 bbeee5e32eb1012031330b61565cf0acdef9961cb7e9e66e9548f93790bf779f
SHA512 1b7a044cf23a78826ccdc7ab322079f327c5b9ac8b1981294d15d549c5ddbf914b4ac7ec3bde1f8c20e3d486ddb5291d778b8d6b630a902c0e7d3c8ad56f5a65

memory/3228-197-0x00000000704B0000-0x00000000704FC000-memory.dmp

memory/3228-198-0x0000000070630000-0x0000000070984000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4988-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1676-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1240-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1676-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4988-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1240-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4988-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4988-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1240-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4988-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4988-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4988-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4988-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4988-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4988-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4988-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4988-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4988-258-0x0000000000400000-0x0000000000D1C000-memory.dmp