Malware Analysis Report

2024-12-08 02:20

Sample ID 240516-s8f5labg8z
Target d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d
SHA256 d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d

Threat Level: Known bad

The file d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:47

Reported

2024-05-16 15:50

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\system32\cmd.exe
PID 3904 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\system32\cmd.exe
PID 552 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 552 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3904 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\rss\csrss.exe
PID 3904 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\rss\csrss.exe
PID 3904 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\rss\csrss.exe
PID 2236 wrote to memory of 4296 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 4296 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 4296 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 1560 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 1560 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 1560 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 3572 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2236 wrote to memory of 3572 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2228 wrote to memory of 1232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1232 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1232 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe

"C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe

"C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.147:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 147.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
NL 23.62.61.147:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0a94e358-4013-47b7-bff5-b55cfc2a6f1c.uuid.theupdatetime.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server11.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server11.theupdatetime.org tcp
US 74.125.250.129:19302 stun4.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
BG 185.82.216.108:443 server11.theupdatetime.org tcp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
BG 185.82.216.108:443 server11.theupdatetime.org tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BG 185.82.216.108:443 server11.theupdatetime.org tcp

Files

memory/4892-1-0x0000000002960000-0x0000000002D5D000-memory.dmp

memory/4892-2-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/4892-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3164-4-0x0000000074E5E000-0x0000000074E5F000-memory.dmp

memory/3164-5-0x0000000002D40000-0x0000000002D76000-memory.dmp

memory/3164-7-0x0000000005730000-0x0000000005D58000-memory.dmp

memory/3164-6-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/3164-8-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/3164-9-0x0000000005450000-0x0000000005472000-memory.dmp

memory/3164-10-0x00000000055F0000-0x0000000005656000-memory.dmp

memory/3164-11-0x0000000005660000-0x00000000056C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wrjdpq4t.igi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3164-21-0x0000000005E60000-0x00000000061B4000-memory.dmp

memory/3164-22-0x0000000006310000-0x000000000632E000-memory.dmp

memory/3164-23-0x0000000006340000-0x000000000638C000-memory.dmp

memory/3164-24-0x0000000006760000-0x00000000067A4000-memory.dmp

memory/3164-25-0x0000000007620000-0x0000000007696000-memory.dmp

memory/3164-27-0x00000000076C0000-0x00000000076DA000-memory.dmp

memory/3164-26-0x0000000007D20000-0x000000000839A000-memory.dmp

memory/3164-29-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/3164-28-0x0000000007880000-0x00000000078B2000-memory.dmp

memory/3164-30-0x0000000070E70000-0x00000000711C4000-memory.dmp

memory/3164-40-0x00000000078C0000-0x00000000078DE000-memory.dmp

memory/3164-41-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/3164-42-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/3164-43-0x00000000078E0000-0x0000000007983000-memory.dmp

memory/3164-44-0x00000000079D0000-0x00000000079DA000-memory.dmp

memory/3164-45-0x0000000007A90000-0x0000000007B26000-memory.dmp

memory/3164-46-0x00000000079F0000-0x0000000007A01000-memory.dmp

memory/3164-47-0x0000000007A30000-0x0000000007A3E000-memory.dmp

memory/3164-48-0x0000000007A40000-0x0000000007A54000-memory.dmp

memory/3164-49-0x0000000007B30000-0x0000000007B4A000-memory.dmp

memory/3164-50-0x0000000007A70000-0x0000000007A78000-memory.dmp

memory/3164-53-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/4892-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4892-56-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/3904-58-0x0000000002A10000-0x0000000002E10000-memory.dmp

memory/3904-59-0x0000000002E10000-0x00000000036FB000-memory.dmp

memory/4936-60-0x0000000005790000-0x0000000005AE4000-memory.dmp

memory/4936-70-0x0000000005E80000-0x0000000005ECC000-memory.dmp

memory/4936-72-0x0000000071590000-0x00000000718E4000-memory.dmp

memory/4936-82-0x0000000006FB0000-0x0000000007053000-memory.dmp

memory/4936-71-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

memory/4936-83-0x00000000072F0000-0x0000000007301000-memory.dmp

memory/4936-84-0x0000000007340000-0x0000000007354000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 148f309232a32ba9d69755c0b7f84e05
SHA1 73c6365a0c490906470fba536750461e51353db2
SHA256 c96ceacaf482c99b36c6daa3278ffd7147574b4586b0ad3006b346c5a87c57ca
SHA512 7f3f90a0aef6418756533fb92fc323258a3b3a4828401a0fdc46790f113154518e523ee6efc11106c343c53c2abb9a2e6d1d998f59ce4e1d58d84d190ca07f2c

memory/4172-98-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

memory/4172-99-0x0000000071590000-0x00000000718E4000-memory.dmp

memory/764-119-0x0000000005760000-0x0000000005AB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 033ba1ccffe5fa90dd24559d1de83d31
SHA1 029d72d77204fcf3bf2c6e75bcbc96b4d10959a2
SHA256 05f9ada1a536ad1fdad3deb9ac8a533842fb4c49ea6186691767f8521da6a927
SHA512 11b88776ccca398bb71324348d32d827b0a4ed094b5059959470a557183d361a6e134d17cfbc8f14fc0f53563c5d912b078cdfddb563e9a0caf77a64a084520b

memory/764-122-0x00000000715C0000-0x0000000071914000-memory.dmp

memory/764-121-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f61907337e51965dbf78c17f2e4ea89c
SHA1 a6f4b1a5d0a14f8d01da5a78ea1ed130c135b657
SHA256 d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d
SHA512 d24583df5b3f3fd82d56d21bdde970b5f2cf12cbd0947e55fb18abc89f0eb7d8a7bee5563c257feac31b34834ccf2ba96b155e016fdd20bca88b768c3b40d87f

memory/4296-147-0x0000000005590000-0x00000000058E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3b1c501479baf62f4919aac126ba33e3
SHA1 7b385d40e105830951867e7e959c29a0d32bad35
SHA256 aa44ad0bf47f297c00d423015cf59d92bf79bc9a27d5eeb79158d392786de5ea
SHA512 25ef1ede4f0dd61a92c95d7c3b63b25f9f09747901373b82da5ba14fc46747af26ddb10714e441dfbdaaa286783bf4c5c406b1d8737ad5404d14ee3c555c47b8

memory/4296-149-0x0000000005D30000-0x0000000005D7C000-memory.dmp

memory/4296-150-0x0000000070D50000-0x0000000070D9C000-memory.dmp

memory/4296-151-0x00000000714F0000-0x0000000071844000-memory.dmp

memory/4296-161-0x0000000006E20000-0x0000000006EC3000-memory.dmp

memory/4296-162-0x0000000007150000-0x0000000007161000-memory.dmp

memory/4296-163-0x00000000054E0000-0x00000000054F4000-memory.dmp

memory/1560-174-0x0000000006000000-0x0000000006354000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9c74e982c93a01378110739940b88a4b
SHA1 483039ad7202216c13742e4cae63d54012ea8886
SHA256 805a9febc8d327f077cd595d5e10cdc0cab2c2ff1c68c58d2a147efe0937deda
SHA512 4b2d991c281231cff1d21e4f4e039663a4ac7b40382e4eaf617f6527bbaca2073f7c2b3f7e90139fe885d0e752e0d411fa12ed1f9108e8411a075020d2ef20a8

memory/1560-176-0x0000000006500000-0x000000000654C000-memory.dmp

memory/1560-177-0x0000000070C70000-0x0000000070CBC000-memory.dmp

memory/1560-178-0x0000000070DF0000-0x0000000071144000-memory.dmp

memory/1560-188-0x0000000007710000-0x00000000077B3000-memory.dmp

memory/1560-189-0x0000000007A20000-0x0000000007A31000-memory.dmp

memory/3904-190-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1560-191-0x0000000005F30000-0x0000000005F44000-memory.dmp

memory/2428-198-0x0000000005680000-0x00000000059D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c438d50a67992dd8db28529502936501
SHA1 716d406198a0f91da4d3bca8a9d91e42fd24737e
SHA256 06b47825557c929185be095702d212570539cd2b2baa2837ddae75aa7022915d
SHA512 10a38786a95e8eef3b0c29b14515abf15ef89d949fd42c7f8b810fd3babd0d951a9dca6df47ec04c6514d2742fac633de8b69cf9941ef586899dc2ba67ba19df

memory/2428-204-0x0000000070C70000-0x0000000070CBC000-memory.dmp

memory/2428-205-0x0000000071410000-0x0000000071764000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2236-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3904-223-0x0000000002A10000-0x0000000002E10000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2228-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3156-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2228-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2236-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3156-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2236-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2236-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3156-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2236-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2236-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2236-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2236-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2236-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2236-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2236-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2236-263-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2236-266-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:47

Reported

2024-05-16 15:50

Platform

win11-20240426-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\system32\cmd.exe
PID 2080 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2080 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1260 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\rss\csrss.exe
PID 1260 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\rss\csrss.exe
PID 1260 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe C:\Windows\rss\csrss.exe
PID 768 wrote to memory of 832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 768 wrote to memory of 832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 768 wrote to memory of 832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 768 wrote to memory of 4940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 768 wrote to memory of 4940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 768 wrote to memory of 4940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 768 wrote to memory of 2568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 768 wrote to memory of 2568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 768 wrote to memory of 2568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 768 wrote to memory of 4024 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 768 wrote to memory of 4024 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 388 wrote to memory of 3040 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 3040 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 3040 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe

"C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe

"C:\Users\Admin\AppData\Local\Temp\d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bea1c988-3523-4885-b8ff-217845b09e45.uuid.theupdatetime.org udp
US 8.8.8.8:53 server16.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.108:443 server16.theupdatetime.org tcp
US 74.125.250.129:19302 stun4.l.google.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.108:443 server16.theupdatetime.org tcp
US 52.111.229.43:443 tcp
BG 185.82.216.108:443 server16.theupdatetime.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/1728-1-0x0000000002B60000-0x0000000002F65000-memory.dmp

memory/1728-2-0x0000000002F70000-0x000000000385B000-memory.dmp

memory/1728-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/772-4-0x00000000003B0000-0x0000000000419000-memory.dmp

memory/772-5-0x00000000053F0000-0x0000000005426000-memory.dmp

memory/772-6-0x0000000005AB0000-0x00000000060DA000-memory.dmp

memory/772-7-0x0000000006150000-0x0000000006172000-memory.dmp

memory/772-8-0x00000000062F0000-0x0000000006356000-memory.dmp

memory/772-9-0x0000000006360000-0x00000000063C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmdfutjf.era.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/772-18-0x00000000063D0000-0x0000000006727000-memory.dmp

memory/772-19-0x00000000068B0000-0x00000000068CE000-memory.dmp

memory/772-20-0x00000000068F0000-0x000000000693C000-memory.dmp

memory/772-21-0x0000000006E30000-0x0000000006E76000-memory.dmp

memory/772-22-0x0000000007CC0000-0x0000000007CF4000-memory.dmp

memory/772-23-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/772-24-0x0000000070410000-0x0000000070767000-memory.dmp

memory/772-33-0x0000000007D20000-0x0000000007D3E000-memory.dmp

memory/772-34-0x0000000007D40000-0x0000000007DE4000-memory.dmp

memory/772-35-0x00000000084B0000-0x0000000008B2A000-memory.dmp

memory/772-36-0x0000000007E70000-0x0000000007E8A000-memory.dmp

memory/772-37-0x0000000007EB0000-0x0000000007EBA000-memory.dmp

memory/772-38-0x0000000007FC0000-0x0000000008056000-memory.dmp

memory/772-39-0x0000000007ED0000-0x0000000007EE1000-memory.dmp

memory/772-40-0x0000000007F20000-0x0000000007F2E000-memory.dmp

memory/772-41-0x0000000007F30000-0x0000000007F45000-memory.dmp

memory/772-42-0x0000000007F80000-0x0000000007F9A000-memory.dmp

memory/772-43-0x0000000007FA0000-0x0000000007FA8000-memory.dmp

memory/772-46-0x00000000003B0000-0x0000000000419000-memory.dmp

memory/1260-48-0x0000000002A40000-0x0000000002E3B000-memory.dmp

memory/2840-57-0x00000000055D0000-0x0000000005927000-memory.dmp

memory/2840-58-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/2840-59-0x00000000704D0000-0x0000000070827000-memory.dmp

memory/2840-68-0x0000000006CF0000-0x0000000006D94000-memory.dmp

memory/2840-69-0x0000000007020000-0x0000000007031000-memory.dmp

memory/2840-70-0x0000000007070000-0x0000000007085000-memory.dmp

memory/1728-73-0x0000000002B60000-0x0000000002F65000-memory.dmp

memory/1728-74-0x0000000002F70000-0x000000000385B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2944-81-0x0000000005940000-0x0000000005C97000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b45f518ea6509bcf5fcb36a7e8e83abc
SHA1 fe16cb8f696167c6a3ba09e9b9d3a48a4d73469a
SHA256 18275f6b28bfbad2e13cb0257f26cf35841541a4338a521f6804248951ff8b62
SHA512 272656460c30496afb42eb95a5836fcc5b7b160c5647341ef6734c52f7eebf6b643fed09fb9f1d861f1175f8d43053ae890c12b2d1cedc9e25d1f67bda47e78c

memory/2944-86-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/2944-87-0x0000000070490000-0x00000000707E7000-memory.dmp

memory/3420-105-0x0000000005450000-0x00000000057A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3b5edfdbbaa4a5c3a6af2e4b70e68eb1
SHA1 3de9a56be1108c86d8fdbfb93eb5fdae8d23208a
SHA256 90d2832834913cd51ba1b0651379668273a6a7441de8bacc50bdeddafd690a78
SHA512 e940d55b0d80799713bc328ec196dff947fbfb513d4d8a991f1b691bf2ce6eb713a3feee1adf566b9682838e1fba7bcc7434ac99ecff01e19436719a444e27b9

memory/3420-107-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/3420-109-0x0000000070430000-0x0000000070787000-memory.dmp

memory/1728-108-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f61907337e51965dbf78c17f2e4ea89c
SHA1 a6f4b1a5d0a14f8d01da5a78ea1ed130c135b657
SHA256 d4bba3e3142d4e19156f50ab3088d7c7a2f722612fe5570b6ed680a529ff6c8d
SHA512 d24583df5b3f3fd82d56d21bdde970b5f2cf12cbd0947e55fb18abc89f0eb7d8a7bee5563c257feac31b34834ccf2ba96b155e016fdd20bca88b768c3b40d87f

memory/832-132-0x0000000006080000-0x00000000063D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 706af03a1a2db50001012b3681661ef5
SHA1 9ab1a6479af6238a422b44fcef33b48da050bc20
SHA256 64a2af20085bd0acb0c12a6d95e91ca00246c736605c5673da99d3fdd274ca8a
SHA512 20ebd5dfa5da8f803e0f8d0ebed6c48999696185b5ce417bb6128f105975aaaf372a83b5c20abe8403f9465debda5775ef41020ff19340399c4d137e58820c2f

memory/832-135-0x0000000070420000-0x0000000070777000-memory.dmp

memory/832-134-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/4940-153-0x00000000063A0000-0x00000000066F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 185f1c0c02cc3fc429910b7b60ed7d52
SHA1 c28153287c689a0b9ad54575137d81504d909ba4
SHA256 2fecc1b338bdeb6aea4ddea99ecae8cd882310ce6b4c60dbbd9fc431d4c0a0f1
SHA512 60b83203f33b7a96ccf02977ed9f649604bb352667e9d4ebc09fd46c622db43e2b964eac7ee9e41b8d6659d20fccbbf352a05986e85b8f0d4178bda2e06c374b

memory/4940-155-0x0000000006E70000-0x0000000006EBC000-memory.dmp

memory/4940-156-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/4940-157-0x0000000070320000-0x0000000070677000-memory.dmp

memory/4940-166-0x0000000007B70000-0x0000000007C14000-memory.dmp

memory/4940-167-0x0000000007EB0000-0x0000000007EC1000-memory.dmp

memory/4940-168-0x00000000062F0000-0x0000000006305000-memory.dmp

memory/1260-169-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2568-179-0x0000000006130000-0x0000000006487000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a3b10d376d2390a6612d87ddf5b002dd
SHA1 749be92b60a42c9a41afb06bc7325159d39a1606
SHA256 a17290fb5b18728a07d806cf4ac73c36214c7e495cdc952ab7337f827c02f846
SHA512 0903caaeb121fb468d20ac78bdeef0b3dffba28b98a3eaa226a25b9c356cb095d04dce7ad9a4451a2017a805a57bdb1c038bb78adf86172bc2fc74ab4fe355c5

memory/2568-181-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/2568-182-0x00000000703F0000-0x0000000070747000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/768-198-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/388-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1260-204-0x0000000002A40000-0x0000000002E3B000-memory.dmp

memory/2208-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/388-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/768-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2208-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/768-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/768-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2208-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/768-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/768-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/768-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2208-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/768-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/768-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/768-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/768-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/768-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/768-255-0x0000000000400000-0x0000000000D1C000-memory.dmp