Malware Analysis Report

2024-12-08 02:12

Sample ID 240516-sr2d7sag4y
Target 8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7
SHA256 8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7

Threat Level: Known bad

The file 8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:22

Reported

2024-05-16 15:25

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\system32\cmd.exe
PID 4560 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4560 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1580 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\rss\csrss.exe
PID 1580 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\rss\csrss.exe
PID 1580 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\rss\csrss.exe
PID 2348 wrote to memory of 1172 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 1172 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 1172 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 4312 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 4312 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 4312 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 4380 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 4380 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 4380 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 1652 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2348 wrote to memory of 1652 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2728 wrote to memory of 2388 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2388 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2388 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2388 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2388 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe

"C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe

"C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 61bd19db-175f-4825-867f-29131bf3d29e.uuid.realupdate.ru udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 server16.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun3.l.google.com udp
BG 185.82.216.96:443 server16.realupdate.ru tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server16.realupdate.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.96:443 server16.realupdate.ru tcp

Files

memory/2012-1-0x0000000002990000-0x0000000002D89000-memory.dmp

memory/2012-2-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/2012-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3148-4-0x00000000748EE000-0x00000000748EF000-memory.dmp

memory/3148-5-0x0000000002720000-0x0000000002756000-memory.dmp

memory/3148-6-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/3148-7-0x0000000004F00000-0x0000000005528000-memory.dmp

memory/3148-8-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/3148-9-0x0000000004E50000-0x0000000004E72000-memory.dmp

memory/3148-10-0x0000000005620000-0x0000000005686000-memory.dmp

memory/3148-11-0x0000000005700000-0x0000000005766000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_huur4rle.3ww.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3148-21-0x0000000005870000-0x0000000005BC4000-memory.dmp

memory/3148-22-0x0000000005D00000-0x0000000005D1E000-memory.dmp

memory/3148-23-0x0000000005D40000-0x0000000005D8C000-memory.dmp

memory/3148-24-0x0000000006E80000-0x0000000006EC4000-memory.dmp

memory/3148-25-0x0000000007030000-0x00000000070A6000-memory.dmp

memory/3148-26-0x0000000007730000-0x0000000007DAA000-memory.dmp

memory/3148-27-0x00000000070D0000-0x00000000070EA000-memory.dmp

memory/3148-30-0x0000000070900000-0x0000000070C54000-memory.dmp

memory/3148-31-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/3148-41-0x00000000072C0000-0x00000000072DE000-memory.dmp

memory/3148-28-0x0000000007280000-0x00000000072B2000-memory.dmp

memory/3148-29-0x0000000070780000-0x00000000707CC000-memory.dmp

memory/3148-42-0x00000000072E0000-0x0000000007383000-memory.dmp

memory/3148-43-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/3148-44-0x00000000073D0000-0x00000000073DA000-memory.dmp

memory/3148-45-0x00000000074E0000-0x0000000007576000-memory.dmp

memory/3148-46-0x00000000073E0000-0x00000000073F1000-memory.dmp

memory/3148-47-0x0000000007420000-0x000000000742E000-memory.dmp

memory/3148-48-0x0000000007440000-0x0000000007454000-memory.dmp

memory/3148-49-0x0000000007490000-0x00000000074AA000-memory.dmp

memory/3148-50-0x0000000007480000-0x0000000007488000-memory.dmp

memory/3148-53-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/2012-56-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/2012-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1580-58-0x0000000002940000-0x0000000002D45000-memory.dmp

memory/1580-59-0x0000000002D50000-0x000000000363B000-memory.dmp

memory/3996-60-0x0000000005A60000-0x0000000005DB4000-memory.dmp

memory/3996-70-0x0000000006040000-0x000000000608C000-memory.dmp

memory/3996-71-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/3996-72-0x0000000071020000-0x0000000071374000-memory.dmp

memory/3996-82-0x0000000007250000-0x00000000072F3000-memory.dmp

memory/3996-83-0x0000000007570000-0x0000000007581000-memory.dmp

memory/3996-84-0x00000000075C0000-0x00000000075D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e72f8f336c634e058bb42dd0e3369373
SHA1 fadf806a95fd739ff4a6b07e981321d11daacc84
SHA256 8b42ba286b66be908f535695937f5b1eba4ccca01459e2404fa0e76bd26c0ab7
SHA512 26e19b397c7571a0599b35584e68bf0d181f5adbda68fe691403f797756faa6c4b5d5270832deeaa4acdd376ecb66983627fba2024b52a23e17e578fa3101ae4

memory/4660-98-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/4660-99-0x0000000071020000-0x0000000071374000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 53f8ce2aaabb05f5f2491173f3883e27
SHA1 42763e194dfec72520bba153ebcfce66fc20b300
SHA256 46f91d96e136ff53e4650cb3d920fab531338652042c35cea5a5ca57d5c07b35
SHA512 1de2682ccfeffbd1103bfc066add1559f5e1bf170a936632086dcaf59f84ed2c49c07894be6165a77cb4100d7966b82dd014d1451e5ceea126de843ad04fbd55

memory/4644-120-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/4644-121-0x0000000071020000-0x0000000071374000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c3c2dd27495e2493df38fd487e98dd35
SHA1 e59486f19f71400d37dd6dd75a94e1790552891a
SHA256 8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7
SHA512 681f96542d73bb52caea1870b01c0a9b191324a3d7ea910dd01d07363e34151d64a1cc497f7da1da17182f971600b19c64531ae8c1d87384276a62404ee74f6c

memory/1580-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1172-138-0x0000000005960000-0x0000000005CB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7622db95cc82567d05e0d42b2638e30a
SHA1 a93da67254a25fdb1a013bc8570f212c28713be7
SHA256 adf8e657b911f3b100de25ec361f8c7a8ee739f123302ec2a1ae2a67af2b3a27
SHA512 a64cf767deb2e44c250ebdf4d9bdf45e41b64753701ca20f67dd2ff5b99646b8571e72260625ede65f4fe258daf707e2f9a2156efc3812b333f547e7782830cf

memory/1172-149-0x00000000065A0000-0x00000000065EC000-memory.dmp

memory/1172-150-0x00000000707E0000-0x000000007082C000-memory.dmp

memory/1172-151-0x0000000070F80000-0x00000000712D4000-memory.dmp

memory/1172-161-0x0000000007220000-0x00000000072C3000-memory.dmp

memory/1172-162-0x0000000007550000-0x0000000007561000-memory.dmp

memory/1172-163-0x0000000005E00000-0x0000000005E14000-memory.dmp

memory/4312-174-0x00000000056D0000-0x0000000005A24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2b9835f42139a7bf7e47c072404fbc84
SHA1 51a4338a0fbaac87f13eddc9b5ab4b24620f4ac7
SHA256 18edfd1e33bbd021e736c1d674585e6ca2d2359bdb4304a375e9762c2ba2aaa4
SHA512 1a6001b8d2b8e6559de01611ceae0e76619863c38b992b4c2990d7b80c45df837392f48195f6480bb1a97a509e83146b7d692de3f8d69dd66932d31b703a2419

memory/4312-176-0x00000000063C0000-0x000000000640C000-memory.dmp

memory/4312-177-0x0000000070700000-0x000000007074C000-memory.dmp

memory/4312-178-0x0000000070EC0000-0x0000000071214000-memory.dmp

memory/4312-188-0x0000000007150000-0x00000000071F3000-memory.dmp

memory/4312-189-0x00000000073B0000-0x00000000073C1000-memory.dmp

memory/4312-190-0x0000000005C20000-0x0000000005C34000-memory.dmp

memory/4380-197-0x00000000055B0000-0x0000000005904000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 205158a0738a269c2463fc6dcd9511ff
SHA1 6c9eb40c1644ee46114144418e02bc6a0ea32dab
SHA256 b168b719832ca98e6152a602b50fd6278ff0ac7b9c264395c6c18d07cfe8c5a7
SHA512 b83d0af1cad439aae5c231bb3cda70df7188012d88ee4890049503cb8c2fd41fab4000bd18e6c6752c9556e0f2fcf461605251b41c67704202db9c67321b5f63

memory/4380-203-0x0000000070700000-0x000000007074C000-memory.dmp

memory/4380-204-0x0000000070EA0000-0x00000000711F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2348-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1580-222-0x0000000002940000-0x0000000002D45000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2728-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1036-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2728-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2348-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2348-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1036-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2348-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1036-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2348-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2348-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2348-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2348-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1036-251-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2348-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2348-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2348-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2348-262-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2348-265-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:22

Reported

2024-05-16 15:24

Platform

win11-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\system32\cmd.exe
PID 5024 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5024 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1204 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\rss\csrss.exe
PID 1204 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\rss\csrss.exe
PID 1204 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe C:\Windows\rss\csrss.exe
PID 4332 wrote to memory of 2772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 2772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 2772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 3132 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 3132 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 3132 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 3264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 3264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 3264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 2468 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4332 wrote to memory of 2468 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 440 wrote to memory of 2500 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 440 wrote to memory of 2500 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 440 wrote to memory of 2500 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2500 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2500 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe

"C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe

"C:\Users\Admin\AppData\Local\Temp\8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 d47a7568-1cf9-4ec6-8086-2cc11c503f49.uuid.realupdate.ru udp
US 8.8.8.8:53 server5.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.96:443 server5.realupdate.ru tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
BG 185.82.216.96:443 server5.realupdate.ru tcp
BG 185.82.216.96:443 server5.realupdate.ru tcp
N/A 127.0.0.1:31465 tcp

Files

memory/2404-1-0x0000000002A20000-0x0000000002E19000-memory.dmp

memory/2404-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/2404-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4512-4-0x00000000746CE000-0x00000000746CF000-memory.dmp

memory/4512-5-0x0000000002A90000-0x0000000002AC6000-memory.dmp

memory/4512-6-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/4512-7-0x00000000051B0000-0x00000000057DA000-memory.dmp

memory/4512-8-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/4512-9-0x0000000005170000-0x0000000005192000-memory.dmp

memory/4512-10-0x0000000005950000-0x00000000059B6000-memory.dmp

memory/4512-11-0x00000000058E0000-0x0000000005946000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54djapwg.ay2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4512-20-0x0000000005A00000-0x0000000005D57000-memory.dmp

memory/4512-21-0x0000000005F10000-0x0000000005F2E000-memory.dmp

memory/4512-22-0x0000000005F50000-0x0000000005F9C000-memory.dmp

memory/4512-23-0x00000000064E0000-0x0000000006526000-memory.dmp

memory/4512-26-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/4512-25-0x0000000070930000-0x000000007097C000-memory.dmp

memory/4512-37-0x00000000073B0000-0x0000000007454000-memory.dmp

memory/4512-36-0x0000000007390000-0x00000000073AE000-memory.dmp

memory/4512-27-0x0000000070B80000-0x0000000070ED7000-memory.dmp

memory/4512-24-0x0000000007350000-0x0000000007384000-memory.dmp

memory/4512-38-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/4512-40-0x00000000074E0000-0x00000000074FA000-memory.dmp

memory/4512-39-0x0000000007B20000-0x000000000819A000-memory.dmp

memory/4512-41-0x0000000007520000-0x000000000752A000-memory.dmp

memory/4512-42-0x0000000007630000-0x00000000076C6000-memory.dmp

memory/4512-43-0x0000000007540000-0x0000000007551000-memory.dmp

memory/4512-44-0x0000000007590000-0x000000000759E000-memory.dmp

memory/4512-45-0x00000000075A0000-0x00000000075B5000-memory.dmp

memory/4512-46-0x00000000075F0000-0x000000000760A000-memory.dmp

memory/4512-47-0x0000000007610000-0x0000000007618000-memory.dmp

memory/4512-50-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/1204-52-0x0000000002A20000-0x0000000002E1E000-memory.dmp

memory/3204-61-0x0000000005940000-0x0000000005C97000-memory.dmp

memory/3204-62-0x0000000070930000-0x000000007097C000-memory.dmp

memory/3204-63-0x0000000071270000-0x00000000715C7000-memory.dmp

memory/3204-72-0x00000000071A0000-0x0000000007244000-memory.dmp

memory/3204-73-0x00000000074D0000-0x00000000074E1000-memory.dmp

memory/3204-74-0x0000000007520000-0x0000000007535000-memory.dmp

memory/2404-75-0x0000000002A20000-0x0000000002E19000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3620-87-0x0000000005D10000-0x0000000006067000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 faf0af98afa844103659f1a9869fa649
SHA1 62cb743e0b9f1fc8df5f942b2d4c333566f85127
SHA256 d5b8d36cd036703b101217c7dce40755b9c950e636bdbf8fcc84b728041d7ee7
SHA512 d5688f9586d1eaf2b8c67acea60206b10d06f4290b33e9364569d21c04801de829358ea10d5f85cb658c3419bde4766f8bb3b0a49cdd3ccef8680bdbed054b9a

memory/3620-89-0x0000000070930000-0x000000007097C000-memory.dmp

memory/3620-90-0x0000000070AB0000-0x0000000070E07000-memory.dmp

memory/2404-99-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2404-100-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/3816-110-0x00000000055D0000-0x0000000005927000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a4012af9ceb4186689c1346f5512f7b3
SHA1 3397314354b32508f87013a0f16a2b0c99c9fe81
SHA256 ff629553d4c998aa1b712f0ee8e6d34f7483674e572dd17b75e3c3b6f16009c7
SHA512 5a136a3c7a6c75eecc591f0795f2795d11b3c9e4cf7629cc1fd57e8698e804cc5beeaa0dab296dd083c3fe8937f96b73abce03500e94c45ad45fabf1b0b8f79f

memory/3816-112-0x0000000070930000-0x000000007097C000-memory.dmp

memory/3816-113-0x0000000070BA0000-0x0000000070EF7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c3c2dd27495e2493df38fd487e98dd35
SHA1 e59486f19f71400d37dd6dd75a94e1790552891a
SHA256 8326890d71d13a36ad5f4d2d144045b747bad5d00f974415ed8ff88b858194e7
SHA512 681f96542d73bb52caea1870b01c0a9b191324a3d7ea910dd01d07363e34151d64a1cc497f7da1da17182f971600b19c64531ae8c1d87384276a62404ee74f6c

memory/1204-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2772-137-0x0000000005CA0000-0x0000000005FF7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1e2b8ac13ab9e449358cbe4127236440
SHA1 58161faa5b36b5df681c115de4bdc4661854df03
SHA256 8b4e033dbc7b258a312fdffc2c2606858705ddf94ea7230a52e91875b1c1e53c
SHA512 97ba0b5848ba463d00bb2526f8dfdb327f6d5f89919f87b8651317cd3fb6acf93f607ef61808661c0b46e4d9468f02c10b2bf04175bef7d216959ec6c8109696

memory/2772-139-0x0000000070930000-0x000000007097C000-memory.dmp

memory/2772-140-0x0000000070AE0000-0x0000000070E37000-memory.dmp

memory/3132-158-0x0000000006190000-0x00000000064E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 320572ec8e13ef316579796ade8e8bcd
SHA1 71f6dbd938ffddefd80f89c2572e1aace35ccf42
SHA256 9db3ffe9a7200daf04dba39f0957674e76a0e1b78c482e62a819eee190bc5a02
SHA512 02aa2c2d225c0a26f18174e830e75ec7997e883c2f6954cafc72404cdc438a0904cc7cbdd112f49ccf9d477aa5983c43595ad6bbb4a77c5e4e24649fb58b62b8

memory/3132-160-0x0000000006640000-0x000000000668C000-memory.dmp

memory/3132-161-0x0000000070850000-0x000000007089C000-memory.dmp

memory/3132-162-0x00000000709D0000-0x0000000070D27000-memory.dmp

memory/3132-171-0x0000000007860000-0x0000000007904000-memory.dmp

memory/3132-172-0x0000000007BF0000-0x0000000007C01000-memory.dmp

memory/3132-173-0x0000000005FF0000-0x0000000006005000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bac2fe0c51b9cedbc0f55b8916658014
SHA1 c88db232d36a5881fcbeecdd52aef805daf36fe2
SHA256 a127f5ea75aa318e9d3a50f0ba7ee8ca26d537e2e0ad18ab46f20e7cb1edf86a
SHA512 29447f172bf7da7b602f4945618b0543cac59b953ac778530458ca52dd307e03a047729c727a094f9d0008e8d07716527ca0bc60dea544d0eeb0ad48eecd5e0e

memory/3264-184-0x0000000070850000-0x000000007089C000-memory.dmp

memory/3264-185-0x00000000709D0000-0x0000000070D27000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4332-201-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/440-206-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3144-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/440-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4332-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3144-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4332-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4332-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3144-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4332-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4332-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4332-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4332-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4332-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4332-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4332-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4332-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4332-245-0x0000000000400000-0x0000000000D1C000-memory.dmp