Malware Analysis Report

2024-12-08 02:08

Sample ID 240516-plgk3acc7v
Target 9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f
SHA256 9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f

Threat Level: Known bad

The file 9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:24

Reported

2024-05-16 12:27

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\system32\cmd.exe
PID 4616 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\system32\cmd.exe
PID 3356 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3356 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4616 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\rss\csrss.exe
PID 4616 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\rss\csrss.exe
PID 4616 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\rss\csrss.exe
PID 4620 wrote to memory of 1948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 1948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 1948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 4192 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 4192 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 4192 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 3288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 3288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 3288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 2392 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4620 wrote to memory of 2392 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3024 wrote to memory of 3840 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 3840 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 3840 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3840 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3840 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe

"C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe

"C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9614e457-0f8d-4b98-b50a-a08b0418d30a.uuid.theupdatetime.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server13.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.108:443 server13.theupdatetime.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server13.theupdatetime.org tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
BG 185.82.216.108:443 server13.theupdatetime.org tcp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/1604-1-0x0000000002920000-0x0000000002D27000-memory.dmp

memory/1604-2-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/1604-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-4-0x000000007458E000-0x000000007458F000-memory.dmp

memory/3312-5-0x0000000004990000-0x00000000049C6000-memory.dmp

memory/3312-7-0x0000000005040000-0x0000000005668000-memory.dmp

memory/3312-6-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3312-8-0x0000000004F90000-0x0000000004FB2000-memory.dmp

memory/3312-9-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3312-10-0x0000000005860000-0x00000000058C6000-memory.dmp

memory/3312-11-0x00000000058D0000-0x0000000005936000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f0yitnqr.pgd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3312-17-0x0000000005950000-0x0000000005CA4000-memory.dmp

memory/3312-22-0x0000000005F70000-0x0000000005F8E000-memory.dmp

memory/3312-23-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

memory/3312-24-0x00000000064B0000-0x00000000064F4000-memory.dmp

memory/3312-25-0x0000000007280000-0x00000000072F6000-memory.dmp

memory/3312-27-0x0000000007320000-0x000000000733A000-memory.dmp

memory/3312-26-0x0000000007980000-0x0000000007FFA000-memory.dmp

memory/3312-28-0x00000000074D0000-0x0000000007502000-memory.dmp

memory/3312-29-0x0000000070420000-0x000000007046C000-memory.dmp

memory/3312-30-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3312-31-0x0000000070BA0000-0x0000000070EF4000-memory.dmp

memory/3312-41-0x0000000007510000-0x000000000752E000-memory.dmp

memory/3312-42-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3312-43-0x0000000007530000-0x00000000075D3000-memory.dmp

memory/3312-44-0x0000000007620000-0x000000000762A000-memory.dmp

memory/3312-45-0x00000000076F0000-0x0000000007786000-memory.dmp

memory/3312-46-0x0000000007650000-0x0000000007661000-memory.dmp

memory/3312-47-0x0000000007690000-0x000000000769E000-memory.dmp

memory/3312-48-0x00000000076A0000-0x00000000076B4000-memory.dmp

memory/3312-49-0x0000000007790000-0x00000000077AA000-memory.dmp

memory/3312-50-0x00000000076D0000-0x00000000076D8000-memory.dmp

memory/3312-53-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4616-55-0x0000000002940000-0x0000000002D3D000-memory.dmp

memory/4616-56-0x0000000002D40000-0x000000000362B000-memory.dmp

memory/4732-66-0x0000000005910000-0x0000000005C64000-memory.dmp

memory/4732-67-0x0000000070420000-0x000000007046C000-memory.dmp

memory/4732-68-0x00000000705C0000-0x0000000070914000-memory.dmp

memory/4732-78-0x00000000070A0000-0x0000000007143000-memory.dmp

memory/1604-80-0x0000000002920000-0x0000000002D27000-memory.dmp

memory/1604-79-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4732-81-0x00000000073B0000-0x00000000073C1000-memory.dmp

memory/4732-82-0x0000000007400000-0x0000000007414000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7ddf026f5bb5a92eb9ea0b0dc7cdc2ca
SHA1 1d1d0f66357e0ae811613db4fae4bf4956e7e3f7
SHA256 7e5acae20961c320954944460bf94542e4e469098ac14464f67860a270aca633
SHA512 d3ac98e7f25c812d38dd6df2b535d456b350a288621fa42359d1c0793d626094bbf76393feaa7d115697cfed3ff72018b9c7e61f11da148cf05f75b9f65f70c4

memory/1140-96-0x0000000070420000-0x000000007046C000-memory.dmp

memory/1140-97-0x0000000070BA0000-0x0000000070EF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 64bbe8f7f97443864200336613f3deae
SHA1 03d842ccb33c6507e208c0bdce8ae1aca977ac58
SHA256 8cfbb0b9b69e077ef051816bdcc0876c5ab5047be4e4e9e64a89c4b7c3982a6b
SHA512 e31465721ebb32ef251bbb87c54a25e965caf55cf8540d4a389dd7cd4609db0911e17593eab8369b6e6a736f94759e981fc65a20318efc09ec46c3f89dcdaabb

memory/2448-119-0x0000000070BA0000-0x0000000070EF4000-memory.dmp

memory/2448-118-0x0000000070420000-0x000000007046C000-memory.dmp

memory/4616-129-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d9703596088492d4d7d23e7464ca6d24
SHA1 cec8363e3f4b69f6ba9fd304fb5f951fc9547d76
SHA256 9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f
SHA512 af7ba3881c4fa8c7dd173f77f6ccf92d35ecea98c0dfdc2662031e103589ea6095fb26fff2e646760557ded6b38edf7794cc65692329bc61184d65aa49c00740

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d2fd61618be2dd49a69a4f5b3a6e59af
SHA1 3925d793b0763881289b23860653bb546c3bbb23
SHA256 d7e3d48f14bf20137f93ceff27b2bb0c21db944ec3e0fb448fe42340e26f156d
SHA512 b3d2fe2e72bbe4c8f5089290bbbe3fe388ee8c38bd741e51e9912a52dcb8cc1838605518c25c96de1aebd90393cd1fb207b8cc645c49d982a5fa6c432c83010d

memory/1948-147-0x0000000070420000-0x000000007046C000-memory.dmp

memory/1948-148-0x0000000070BA0000-0x0000000070EF4000-memory.dmp

memory/4192-168-0x00000000062B0000-0x0000000006604000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 87a31cea90d805425c1157ccb4d2ae58
SHA1 c1791589f2bd576abd12e1418f927876d93ad5d7
SHA256 f4457e283f13651920357ded34fe3862ea354caa5698938320cea3f290512de1
SHA512 8935ffc91256d64b6a150c7567b8644701103436576da6a40ee7ef61641d973bef9a6d7f60f91cbf53d7f9491613fec94020733174a8f2691c9b4dbf794671ba

memory/4192-170-0x0000000006750000-0x000000000679C000-memory.dmp

memory/4192-171-0x0000000070340000-0x000000007038C000-memory.dmp

memory/4192-172-0x00000000704C0000-0x0000000070814000-memory.dmp

memory/4192-182-0x0000000007960000-0x0000000007A03000-memory.dmp

memory/4192-183-0x0000000007CC0000-0x0000000007CD1000-memory.dmp

memory/4192-184-0x0000000006100000-0x0000000006114000-memory.dmp

memory/3288-195-0x00000000059B0000-0x0000000005D04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 33d7e2f5a282487056660bbedb532b84
SHA1 4d31594852afd2a5c4bcf0e716d3f294ee50aef5
SHA256 0975657f07db928b1ec2614a5a9ced870480c638998c90f09ac1471d00a4ab2a
SHA512 a59b5b563c3ff82174b7bf67209162b540654e331a5a84297689fa6b99bd3d593cdd7b9432cba879dba58e3a9ee843a3b730c397a0b567ebcf91a4a5d8c7aa5c

memory/3288-197-0x0000000070340000-0x000000007038C000-memory.dmp

memory/3288-198-0x0000000070AD0000-0x0000000070E24000-memory.dmp

memory/4616-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4620-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4616-217-0x0000000002940000-0x0000000002D3D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3024-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3024-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4620-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4620-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4504-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4620-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4620-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4504-239-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4620-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4620-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4620-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4620-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4620-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4620-264-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4620-267-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:24

Reported

2024-05-16 12:27

Platform

win11-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\system32\cmd.exe
PID 4292 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\system32\cmd.exe
PID 3668 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3668 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\rss\csrss.exe
PID 4292 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\rss\csrss.exe
PID 4292 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe C:\Windows\rss\csrss.exe
PID 2756 wrote to memory of 4676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 4676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 4676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 3360 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 3360 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 3360 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 4960 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2756 wrote to memory of 4960 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5016 wrote to memory of 1436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 1436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 1436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1436 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1436 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe

"C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe

"C:\Users\Admin\AppData\Local\Temp\9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 680c9ce2-c1e6-427a-bdc3-061ac533b234.uuid.theupdatetime.org udp
US 8.8.8.8:53 server5.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server5.theupdatetime.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.108:443 server5.theupdatetime.org tcp
BG 185.82.216.108:443 server5.theupdatetime.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/4992-1-0x0000000002A20000-0x0000000002E1A000-memory.dmp

memory/4992-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/4992-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2004-4-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

memory/2004-5-0x0000000003190000-0x00000000031C6000-memory.dmp

memory/2004-6-0x0000000074C50000-0x0000000075401000-memory.dmp

memory/2004-7-0x0000000005A20000-0x000000000604A000-memory.dmp

memory/2004-8-0x00000000058E0000-0x0000000005902000-memory.dmp

memory/2004-9-0x00000000060C0000-0x0000000006126000-memory.dmp

memory/2004-10-0x0000000006130000-0x0000000006196000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vreybiuy.lvv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2004-19-0x00000000061A0000-0x00000000064F7000-memory.dmp

memory/2004-20-0x0000000006680000-0x000000000669E000-memory.dmp

memory/2004-21-0x0000000006710000-0x000000000675C000-memory.dmp

memory/2004-22-0x0000000006BD0000-0x0000000006C16000-memory.dmp

memory/2004-23-0x0000000007A80000-0x0000000007AB4000-memory.dmp

memory/2004-24-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

memory/2004-26-0x0000000071040000-0x0000000071397000-memory.dmp

memory/2004-25-0x0000000074C50000-0x0000000075401000-memory.dmp

memory/2004-35-0x0000000007AE0000-0x0000000007AFE000-memory.dmp

memory/2004-36-0x0000000007B00000-0x0000000007BA4000-memory.dmp

memory/2004-37-0x0000000074C50000-0x0000000075401000-memory.dmp

memory/2004-39-0x0000000007C30000-0x0000000007C4A000-memory.dmp

memory/2004-38-0x0000000008270000-0x00000000088EA000-memory.dmp

memory/2004-40-0x0000000007C70000-0x0000000007C7A000-memory.dmp

memory/2004-41-0x0000000007D80000-0x0000000007E16000-memory.dmp

memory/2004-42-0x0000000007C90000-0x0000000007CA1000-memory.dmp

memory/2004-43-0x0000000007CE0000-0x0000000007CEE000-memory.dmp

memory/2004-44-0x0000000007CF0000-0x0000000007D05000-memory.dmp

memory/2004-45-0x0000000007D40000-0x0000000007D5A000-memory.dmp

memory/2004-46-0x0000000007D60000-0x0000000007D68000-memory.dmp

memory/2004-49-0x0000000074C50000-0x0000000075401000-memory.dmp

memory/4992-50-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4992-51-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/4292-53-0x0000000002A30000-0x0000000002E34000-memory.dmp

memory/4428-62-0x00000000060A0000-0x00000000063F7000-memory.dmp

memory/4428-63-0x0000000006B50000-0x0000000006B9C000-memory.dmp

memory/4428-64-0x0000000070FD0000-0x000000007101C000-memory.dmp

memory/4428-65-0x00000000711E0000-0x0000000071537000-memory.dmp

memory/4428-74-0x0000000007820000-0x00000000078C4000-memory.dmp

memory/4428-75-0x0000000007B50000-0x0000000007B61000-memory.dmp

memory/4428-76-0x0000000007BA0000-0x0000000007BB5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/408-88-0x0000000005680000-0x00000000059D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d5bc48c96358c701ab0637dd33de5a70
SHA1 decf03eb4867497c2dfdf66d1d4e1314f6fdd709
SHA256 f0823595759e1ff5adae6db2d9fe8cbd35068964c267c1b12fe91afa981b8347
SHA512 993be25c89787a221fe921d0a3b318e0b46f9f0348f81cbf09a1b6038cda171547de54aab8237456052c514a74ea48610b161d5dbc84274e40529ba9bb17ecf9

memory/408-91-0x0000000071180000-0x00000000714D7000-memory.dmp

memory/408-90-0x0000000070FD0000-0x000000007101C000-memory.dmp

memory/5072-106-0x00000000058E0000-0x0000000005C37000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 480b16fac2f81aff3694b62d4d96d22a
SHA1 4bd7603622299def36436ce8b1d9727a499fe078
SHA256 82a82329c7657af5c2ead041c033dec1c2c7d2b537a13f99430b50bd71444e89
SHA512 2b099e7973c4fad59e85e0c1a9cd5077fe7c5ecd90bb4a87ecc987300c421cc2cbfed6c4b25b8988d08f74f5fd25f4924f33740efe448cccb8522fde3b921dd1

memory/5072-112-0x0000000071220000-0x0000000071577000-memory.dmp

memory/5072-111-0x0000000070FD0000-0x000000007101C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d9703596088492d4d7d23e7464ca6d24
SHA1 cec8363e3f4b69f6ba9fd304fb5f951fc9547d76
SHA256 9e2c41b4085b3d9ea794d66d70d4d2b2b04ec54a84faf780f0ec46310fdfe91f
SHA512 af7ba3881c4fa8c7dd173f77f6ccf92d35ecea98c0dfdc2662031e103589ea6095fb26fff2e646760557ded6b38edf7794cc65692329bc61184d65aa49c00740

memory/4292-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4676-136-0x0000000006220000-0x0000000006577000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8e3ca40e3afabd27f2c6756914db5088
SHA1 7ff899c546725d481d6167ce5634da4ac4868e45
SHA256 f853252129c3d1cd2f93399402ef78d4216456598efb6d1208ee4476e3727404
SHA512 0520a55f1ca9cc5bff76ef082681a8e213b583d266ad550d738520368defc707baa8bc640737240344d6019f34dacfa83b6054ca9ec5fe3826f86ad0a6c2c1da

memory/4676-138-0x0000000006B40000-0x0000000006B8C000-memory.dmp

memory/4676-140-0x00000000710B0000-0x0000000071407000-memory.dmp

memory/4676-139-0x0000000070F30000-0x0000000070F7C000-memory.dmp

memory/4676-149-0x0000000007A80000-0x0000000007B24000-memory.dmp

memory/4676-150-0x0000000007DD0000-0x0000000007DE1000-memory.dmp

memory/4676-151-0x00000000065A0000-0x00000000065B5000-memory.dmp

memory/3360-161-0x00000000062F0000-0x0000000006647000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2108d167367e0fd356c859faed778390
SHA1 86e0e006d4dda270a20cd1b3f3a43cd23ad171a2
SHA256 7d6f0fd17647b86934b92f502dc4dcbb1395ec1934356c08af5423f7dbfa5689
SHA512 e9cc68514127331fff6c1db3d1a87f4d1722e7184090c6068b4c2cc5908b469bdb3cd2fb3fe35af75f902eb612e07573136b80d03e8ffafe424bdd2d52fa3669

memory/3360-163-0x0000000006D40000-0x0000000006D8C000-memory.dmp

memory/3360-164-0x0000000070E50000-0x0000000070E9C000-memory.dmp

memory/3360-174-0x0000000007AF0000-0x0000000007B94000-memory.dmp

memory/3360-165-0x0000000071790000-0x0000000071AE7000-memory.dmp

memory/3360-175-0x0000000007C80000-0x0000000007C91000-memory.dmp

memory/3360-176-0x0000000006670000-0x0000000006685000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a3167f4a5a03c9ebaf0031e1be993e4e
SHA1 ada517cc0af62ddb71cb8d41f77bea4b97ef40c4
SHA256 c7b2614ded343fc536cdb06ceb972de257ef0c39d60705f936a9691d289024d1
SHA512 765216f896390ef2fa4e483ca0c1722f7c0c6fea104a51219e495c3e81d5a7f1801d96d757ebd92e08fe98c3a0cf46887db0dd2f8b01a6d300a6c5b47a88a0a8

memory/2936-186-0x0000000006250000-0x00000000065A7000-memory.dmp

memory/2936-189-0x0000000070FD0000-0x0000000071327000-memory.dmp

memory/2936-188-0x0000000070E50000-0x0000000070E9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2756-204-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5016-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3400-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5016-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2756-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3400-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2756-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2756-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3400-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2756-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2756-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2756-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2756-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2756-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2756-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2756-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2756-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2756-236-0x0000000000400000-0x0000000000D1C000-memory.dmp