Malware Analysis Report

2024-12-08 02:16

Sample ID 240516-pkx7esch37
Target 3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd
SHA256 3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd

Threat Level: Known bad

The file 3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:23

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:23

Reported

2024-05-16 12:26

Platform

win11-20240508-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\system32\cmd.exe
PID 3424 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\system32\cmd.exe
PID 4952 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4952 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3424 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\rss\csrss.exe
PID 3424 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\rss\csrss.exe
PID 3424 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\rss\csrss.exe
PID 1604 wrote to memory of 1144 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 1144 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 1144 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 2504 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 2504 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 2504 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 2496 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 2496 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 2496 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 2732 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1604 wrote to memory of 2732 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3364 wrote to memory of 3572 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 3572 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 3572 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3572 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3572 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe

"C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe

"C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 server15.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.108:443 server15.statsexplorer.org tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 172.67.221.71:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
BG 185.82.216.108:443 server15.statsexplorer.org tcp
N/A 127.0.0.1:3478 udp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.108:443 server15.statsexplorer.org tcp
BG 185.82.216.108:443 server15.statsexplorer.org tcp
SE 192.229.221.95:80 tcp

Files

memory/3484-1-0x0000000002A50000-0x0000000002E57000-memory.dmp

memory/3484-2-0x0000000002E60000-0x000000000374B000-memory.dmp

memory/3484-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5052-4-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

memory/5052-5-0x0000000005240000-0x0000000005276000-memory.dmp

memory/5052-6-0x00000000059F0000-0x000000000601A000-memory.dmp

memory/5052-7-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/5052-8-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/5052-9-0x0000000005930000-0x0000000005952000-memory.dmp

memory/5052-10-0x0000000006110000-0x0000000006176000-memory.dmp

memory/5052-11-0x0000000006180000-0x00000000061E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hqxbacav.5hs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5052-20-0x00000000061F0000-0x0000000006547000-memory.dmp

memory/5052-21-0x00000000066D0000-0x00000000066EE000-memory.dmp

memory/5052-22-0x0000000006700000-0x000000000674C000-memory.dmp

memory/5052-23-0x0000000006C50000-0x0000000006C96000-memory.dmp

memory/5052-25-0x0000000071010000-0x000000007105C000-memory.dmp

memory/5052-24-0x0000000007B00000-0x0000000007B34000-memory.dmp

memory/5052-26-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/5052-27-0x0000000071190000-0x00000000714E7000-memory.dmp

memory/5052-36-0x0000000007B40000-0x0000000007B5E000-memory.dmp

memory/5052-37-0x0000000007B60000-0x0000000007C04000-memory.dmp

memory/5052-38-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/5052-40-0x0000000007C90000-0x0000000007CAA000-memory.dmp

memory/5052-39-0x00000000082D0000-0x000000000894A000-memory.dmp

memory/5052-41-0x0000000007CF0000-0x0000000007CFA000-memory.dmp

memory/5052-42-0x0000000007DB0000-0x0000000007E46000-memory.dmp

memory/5052-43-0x0000000007D20000-0x0000000007D31000-memory.dmp

memory/5052-44-0x0000000007D60000-0x0000000007D6E000-memory.dmp

memory/5052-45-0x0000000007D70000-0x0000000007D85000-memory.dmp

memory/5052-46-0x0000000007E70000-0x0000000007E8A000-memory.dmp

memory/5052-47-0x0000000007E60000-0x0000000007E68000-memory.dmp

memory/5052-50-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/3484-52-0x0000000002E60000-0x000000000374B000-memory.dmp

memory/3424-53-0x0000000002A20000-0x0000000002E1D000-memory.dmp

memory/3976-62-0x0000000006350000-0x00000000066A7000-memory.dmp

memory/3976-63-0x0000000071010000-0x000000007105C000-memory.dmp

memory/3976-64-0x0000000071260000-0x00000000715B7000-memory.dmp

memory/3976-73-0x00000000078A0000-0x0000000007944000-memory.dmp

memory/3976-74-0x0000000007DD0000-0x0000000007DE1000-memory.dmp

memory/3484-76-0x0000000002A50000-0x0000000002E57000-memory.dmp

memory/3484-75-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3976-77-0x0000000007E20000-0x0000000007E35000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2236-89-0x0000000006030000-0x0000000006387000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 44541186ca55556b03a806e0b5f89de8
SHA1 7fb6e1a07e07d69091ef1070bf319f0320249437
SHA256 0cb2e1b6796136e17457c594d144547ede8f974fe7840fd63637de84df070abb
SHA512 a0495d5379c00c4471b8b5f79efa47c21aedd0649da3ff0ea6ec1d7564fcdd08383e7427d985a8fc97bdfd4b1c0f125cda696c7fc42d80ef52c081a768f5e8dd

memory/2236-92-0x00000000711B0000-0x0000000071507000-memory.dmp

memory/2236-91-0x0000000071010000-0x000000007105C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3bef80f38ac0a54fc3896fc68df72ce1
SHA1 6aa9aaf59a813080509937e0b04ec01a1e800827
SHA256 ce6fa31febf7923f07a5e17de9011d5702fb35928247738f26d14e490ccb9eae
SHA512 1aecb2dcf6b2b9b29f445bbb7b74d66044ac3d97163938fc410d0f4c2c341ff8a1b4ed5e54a482f8b2653421a5b5cc3f75145c9953e1c698982fdffb66d41c85

memory/4616-111-0x0000000071010000-0x000000007105C000-memory.dmp

memory/4616-112-0x0000000071260000-0x00000000715B7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 46c502a3fbe0860867a95e77bdb9955f
SHA1 f41ab7484c43c8037353e95f80b191be517eae19
SHA256 3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd
SHA512 36dde9178f451b24eb21e0b52231fd73d7cc545cc6a36fe7f34480d805168428d2814bb8f70f89a8bea59cdade4829fbb0e36c675c1a4f9666b90ebbc04f6917

memory/3424-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 75471c6d28b10e74a189fdddf734d3f3
SHA1 77c4e2224e29528f0ba33d52357ab93d2558e007
SHA256 7a1abe4402d2013c4b722df79367a400b2257696ba73c7d8240340b61da842f8
SHA512 c073e9f0232740dfd037fb837bae86085dabdcdd1145d5d7daa08c66eb0fc01c2e9044bdec1ff79e16da6d578e0d6fc385460370e91c4d96b0b2334328446807

memory/1144-138-0x0000000071010000-0x000000007105C000-memory.dmp

memory/1144-139-0x0000000071190000-0x00000000714E7000-memory.dmp

memory/2504-149-0x0000000006050000-0x00000000063A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2e76260d6bb17e2689d08007af23d44d
SHA1 39ed8da6053133ea9afc993b96cd797f9d639af7
SHA256 6bf85020f802344ff5025e8028dc01fc7489de558369c9fd1baab7f0bf752a74
SHA512 ed2924e3f92912bd4a5be8d5f8ec2e35d5f9255b84f591c66d3f4d61477a2a52b845c0aae8388552b32fae02094b2572760aa8b853bb68fd77da2d8f1649154f

memory/2504-159-0x0000000006B00000-0x0000000006B4C000-memory.dmp

memory/2504-160-0x0000000070F30000-0x0000000070F7C000-memory.dmp

memory/2504-161-0x0000000071180000-0x00000000714D7000-memory.dmp

memory/2504-170-0x0000000007810000-0x00000000078B4000-memory.dmp

memory/2504-171-0x0000000007B90000-0x0000000007BA1000-memory.dmp

memory/2504-172-0x00000000063D0000-0x00000000063E5000-memory.dmp

memory/2496-182-0x0000000006390000-0x00000000066E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b7a344ad336fa93e51cb8829e01aaaef
SHA1 ae606b116dcd32a35a25d775c70cb966a7442cfd
SHA256 7df04c71ac0aed203474f10945cd0d31e7e27ce286c119f74f2dd303d659e3a9
SHA512 856f0578d1650e6c9ef7a624b972182e65c7b9123426220086a74373baeb284c1b0da0ab5b3a9b0689ffbca67d53b5407206e5235ffd5700ab406f11091d0866

memory/2496-184-0x0000000070F30000-0x0000000070F7C000-memory.dmp

memory/2496-185-0x00000000710B0000-0x0000000071407000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1604-201-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1604-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3364-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1652-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3364-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1604-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1652-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1604-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1652-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1604-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1604-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:23

Reported

2024-05-16 12:26

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3936 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\system32\cmd.exe
PID 4804 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\system32\cmd.exe
PID 1944 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1944 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4804 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\rss\csrss.exe
PID 4804 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\rss\csrss.exe
PID 4804 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe C:\Windows\rss\csrss.exe
PID 4964 wrote to memory of 4624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 4624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 4624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 4448 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 4448 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 4448 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 2864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 2864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 2864 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 512 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4964 wrote to memory of 512 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3908 wrote to memory of 3584 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 3584 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 3584 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3584 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3584 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe

"C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe

"C:\Users\Admin\AppData\Local\Temp\3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 146.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 6c5ce606-7710-4de7-9c24-f75d54c33056.uuid.statsexplorer.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server6.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
US 8.8.8.8:53 stun2.l.google.com udp
US 74.125.250.129:19302 stun2.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp

Files

memory/3936-1-0x0000000002940000-0x0000000002D3D000-memory.dmp

memory/3936-2-0x0000000002D40000-0x000000000362B000-memory.dmp

memory/3936-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1820-4-0x0000000074C2E000-0x0000000074C2F000-memory.dmp

memory/1820-5-0x0000000002E70000-0x0000000002EA6000-memory.dmp

memory/1820-6-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/1820-7-0x0000000005610000-0x0000000005C38000-memory.dmp

memory/1820-8-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/1820-9-0x0000000005560000-0x0000000005582000-memory.dmp

memory/1820-11-0x0000000005DA0000-0x0000000005E06000-memory.dmp

memory/1820-10-0x0000000005D30000-0x0000000005D96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xtgk4fzv.yso.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1820-21-0x0000000005E20000-0x0000000006174000-memory.dmp

memory/1820-22-0x0000000006420000-0x000000000643E000-memory.dmp

memory/1820-23-0x00000000064D0000-0x000000000651C000-memory.dmp

memory/1820-24-0x00000000069D0000-0x0000000006A14000-memory.dmp

memory/1820-25-0x0000000007770000-0x00000000077E6000-memory.dmp

memory/1820-26-0x0000000007E70000-0x00000000084EA000-memory.dmp

memory/1820-27-0x00000000077F0000-0x000000000780A000-memory.dmp

memory/1820-29-0x0000000070AC0000-0x0000000070B0C000-memory.dmp

memory/1820-30-0x0000000071200000-0x0000000071554000-memory.dmp

memory/1820-28-0x00000000079A0000-0x00000000079D2000-memory.dmp

memory/1820-41-0x00000000079E0000-0x00000000079FE000-memory.dmp

memory/1820-40-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/1820-42-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/1820-43-0x0000000007A00000-0x0000000007AA3000-memory.dmp

memory/1820-44-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

memory/1820-45-0x0000000007BC0000-0x0000000007C56000-memory.dmp

memory/1820-46-0x0000000007B20000-0x0000000007B31000-memory.dmp

memory/1820-47-0x0000000007B60000-0x0000000007B6E000-memory.dmp

memory/1820-48-0x0000000007B70000-0x0000000007B84000-memory.dmp

memory/1820-49-0x0000000007C60000-0x0000000007C7A000-memory.dmp

memory/1820-50-0x0000000007BA0000-0x0000000007BA8000-memory.dmp

memory/1820-53-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/4804-55-0x0000000002940000-0x0000000002D3D000-memory.dmp

memory/4804-56-0x0000000002D40000-0x000000000362B000-memory.dmp

memory/696-66-0x00000000056A0000-0x00000000059F4000-memory.dmp

memory/696-67-0x0000000070AC0000-0x0000000070B0C000-memory.dmp

memory/696-68-0x0000000070C60000-0x0000000070FB4000-memory.dmp

memory/3936-79-0x0000000002940000-0x0000000002D3D000-memory.dmp

memory/3936-78-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/696-80-0x0000000006E40000-0x0000000006EE3000-memory.dmp

memory/696-81-0x0000000007170000-0x0000000007181000-memory.dmp

memory/696-82-0x00000000071C0000-0x00000000071D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/3936-87-0x0000000002D40000-0x000000000362B000-memory.dmp

memory/4332-86-0x0000000006200000-0x0000000006554000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b60f2e4365af29f13405bcfe756ea2e7
SHA1 1da60de2b5276796c5b9e614a2702ae38866ee0f
SHA256 dea15d170b889a3a11890d47d08eb7f81a63f9db4956641b5c105f420c192166
SHA512 a0b0651a5cd6e1542d2c0f0e2bfdaaacee748f45e0014c46ec08606322df85d4d69fa85d4e8e8675a51686bc82b826ff048e49bf2a38b754efacc0c8f9adb50f

memory/4332-98-0x0000000070AC0000-0x0000000070B0C000-memory.dmp

memory/4332-99-0x0000000071240000-0x0000000071594000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a0c408a0adb0027c1f146b5fabc6e62f
SHA1 17a6d7c1fc5a016e9f4a99ff31f59dcb13a39b8f
SHA256 641a4201bdce8f6bace6c9663e260c3d23c65b334a3742ad211d2888dd838e88
SHA512 b8056db587ff8367112565d901191724e6bab9ed161b18367dbdfd4242fb28e1a7bf1fe93119b9c3f63e3b3fae30aee5493a5f4110f61458df22a2c1ca07dbcb

memory/3200-121-0x0000000070AC0000-0x0000000070B0C000-memory.dmp

memory/4804-120-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3200-122-0x0000000071240000-0x0000000071594000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 46c502a3fbe0860867a95e77bdb9955f
SHA1 f41ab7484c43c8037353e95f80b191be517eae19
SHA256 3e6cc8f52f84408159b99dced8c95004c33e80879a9c9ed122f36b23298562cd
SHA512 36dde9178f451b24eb21e0b52231fd73d7cc545cc6a36fe7f34480d805168428d2814bb8f70f89a8bea59cdade4829fbb0e36c675c1a4f9666b90ebbc04f6917

memory/4624-147-0x0000000005B20000-0x0000000005E74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5911db6c16e7a2469b38da8d14b5a941
SHA1 82e20b87d07d003815de211a4a3d701947d515b1
SHA256 02e566241545cb98530c640e340bf53646755aa5c7fa83144998f6acd70a3668
SHA512 0011ee5937c6144d1005a166bd268697762c99a8167aa3f1b01b9d394b33f49c6b19b61d68e50384969d86ccc524943a174660ec6ca37e8a6199212e7c4a8143

memory/4624-150-0x0000000070AC0000-0x0000000070B0C000-memory.dmp

memory/4624-151-0x0000000070C40000-0x0000000070F94000-memory.dmp

memory/4448-162-0x00000000060D0000-0x0000000006424000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 502bbc1f5845ca276d08234de82c7b1b
SHA1 ba9dc928b6c7e2ab71a8c83fccb073f22c55205c
SHA256 164be75a6a7998b110e28b3ee0bb4d07949698839735300bb4425faa2d22ddb6
SHA512 62238364c8807d1b7d065c611b15048ccb66ff696b71b030b3ec0591f60210f0734ef6297037f8bc4aba68a2b0fa4b82577649aba086ffc83e7254045ebe2f10

memory/4448-173-0x0000000006770000-0x00000000067BC000-memory.dmp

memory/4448-174-0x00000000709E0000-0x0000000070A2C000-memory.dmp

memory/4448-175-0x0000000071170000-0x00000000714C4000-memory.dmp

memory/4448-185-0x0000000007970000-0x0000000007A13000-memory.dmp

memory/4448-186-0x0000000007CB0000-0x0000000007CC1000-memory.dmp

memory/4448-187-0x0000000006550000-0x0000000006564000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9f0dbd6dff6d33ef7c96737be43934d5
SHA1 7e0846370cf0f56aebfc605b28bf40f0d9052393
SHA256 d3022f5ba41dd0387b5e7c8049fb2612007b07e2e0154d9b8c4f71c16da4edcd
SHA512 c0436f51235b11da5bb53d5706248936f60ebdbf77721dddd4af928db506f9157beb7440f27d352ed6fdedc28ef2f3c83451ef1022f5e7bb8b42d7dd1f333edf

memory/2864-200-0x0000000071170000-0x00000000714C4000-memory.dmp

memory/2864-199-0x00000000709E0000-0x0000000070A2C000-memory.dmp

memory/4804-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4964-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4804-219-0x0000000002940000-0x0000000002D3D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3908-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4964-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4116-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3908-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4964-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4116-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4964-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4964-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4116-243-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4964-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4964-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4964-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4964-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4964-262-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4964-265-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4964-270-0x0000000000400000-0x0000000000D1C000-memory.dmp