Malware Analysis Report

2024-12-08 02:04

Sample ID 240516-st1wfsah6x
Target a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe
SHA256 a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe

Threat Level: Known bad

The file a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:25

Reported

2024-05-16 15:28

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 184 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 184 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 184 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\system32\cmd.exe
PID 4252 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4252 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3052 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\rss\csrss.exe
PID 3052 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\rss\csrss.exe
PID 3052 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\rss\csrss.exe
PID 264 wrote to memory of 3484 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 264 wrote to memory of 3484 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 264 wrote to memory of 3484 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 264 wrote to memory of 1896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 264 wrote to memory of 1896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 264 wrote to memory of 1896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 264 wrote to memory of 4344 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 264 wrote to memory of 4344 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 264 wrote to memory of 4344 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 264 wrote to memory of 2072 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 264 wrote to memory of 2072 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3976 wrote to memory of 4720 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 4720 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 4720 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4720 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4720 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe

"C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe

"C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.177:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 177.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.177:443 www.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 1438cbd4-e01e-489c-8f45-305e938044c8.uuid.datadumpcloud.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server3.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server3.datadumpcloud.org tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.104:443 server3.datadumpcloud.org tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.104:443 server3.datadumpcloud.org tcp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/184-1-0x00000000029A0000-0x0000000002DA8000-memory.dmp

memory/184-2-0x0000000002DB0000-0x000000000369B000-memory.dmp

memory/184-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2500-4-0x00000000003B0000-0x000000000041D000-memory.dmp

memory/2500-5-0x0000000005170000-0x00000000051A6000-memory.dmp

memory/2500-6-0x00000000058E0000-0x0000000005F08000-memory.dmp

memory/2500-7-0x0000000005730000-0x0000000005752000-memory.dmp

memory/2500-9-0x00000000060E0000-0x0000000006146000-memory.dmp

memory/2500-8-0x0000000005F80000-0x0000000005FE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h5scffey.jfd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2500-19-0x0000000006150000-0x00000000064A4000-memory.dmp

memory/2500-20-0x0000000006750000-0x000000000676E000-memory.dmp

memory/2500-21-0x0000000006770000-0x00000000067BC000-memory.dmp

memory/2500-22-0x0000000006B30000-0x0000000006B74000-memory.dmp

memory/2500-23-0x0000000007850000-0x00000000078C6000-memory.dmp

memory/2500-24-0x0000000008150000-0x00000000087CA000-memory.dmp

memory/2500-25-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

memory/2500-26-0x0000000007C90000-0x0000000007CC2000-memory.dmp

memory/2500-27-0x0000000070130000-0x000000007017C000-memory.dmp

memory/2500-28-0x0000000070300000-0x0000000070654000-memory.dmp

memory/2500-38-0x0000000007CD0000-0x0000000007CEE000-memory.dmp

memory/2500-39-0x0000000007CF0000-0x0000000007D93000-memory.dmp

memory/2500-40-0x0000000007DE0000-0x0000000007DEA000-memory.dmp

memory/2500-41-0x0000000007EA0000-0x0000000007F36000-memory.dmp

memory/2500-42-0x0000000007E00000-0x0000000007E11000-memory.dmp

memory/2500-43-0x0000000007E40000-0x0000000007E4E000-memory.dmp

memory/2500-44-0x0000000007E50000-0x0000000007E64000-memory.dmp

memory/2500-45-0x0000000007F40000-0x0000000007F5A000-memory.dmp

memory/2500-46-0x0000000007E80000-0x0000000007E88000-memory.dmp

memory/2500-49-0x00000000003B0000-0x000000000041D000-memory.dmp

memory/184-50-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/184-51-0x0000000002DB0000-0x000000000369B000-memory.dmp

memory/3052-53-0x0000000002970000-0x0000000002D6C000-memory.dmp

memory/680-59-0x00000000063C0000-0x0000000006714000-memory.dmp

memory/680-64-0x0000000006A10000-0x0000000006A5C000-memory.dmp

memory/680-65-0x0000000070230000-0x000000007027C000-memory.dmp

memory/680-66-0x0000000070820000-0x0000000070B74000-memory.dmp

memory/680-76-0x0000000007BE0000-0x0000000007C83000-memory.dmp

memory/680-77-0x0000000007EE0000-0x0000000007EF1000-memory.dmp

memory/680-78-0x0000000007F30000-0x0000000007F44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4416-88-0x0000000005BD0000-0x0000000005F24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4f175df91fefced684a48464096284db
SHA1 cafccf80f79799117578c2be7c78bf94f93528f9
SHA256 104e7678c6bbf247cc5bfde05b776c2c4814eec099df7dbbade62f8a0d1b2496
SHA512 984e5a1331a74253fe8a0ac353ff2f82485eda9d948cbd216bb6dbb0e765e2d5b2766cf5f97b5aefc3e06f7d702355859de14810c37411fe33882ac6c36bc3e8

memory/4416-93-0x0000000070230000-0x000000007027C000-memory.dmp

memory/4416-94-0x00000000709F0000-0x0000000070D44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 02f2142bfb8dc1a1fcd7d9210aa1c64a
SHA1 6a5e2585703bdce9d741ad9606a0a5f2caf6b0ed
SHA256 c841ff703e1245c4deb7669bfa92b16942c30329719af8a806714aa8ce86080e
SHA512 22eacfb27180ef6f52d9c78b27830c568f16701183dc148c3de4378e9690882c5757cc206b844087cca2319d3a0162dfea55e86b22d6949a90832a532f08dd66

memory/1364-114-0x0000000006520000-0x0000000006874000-memory.dmp

memory/1364-117-0x00000000703B0000-0x0000000070704000-memory.dmp

memory/1364-116-0x0000000070230000-0x000000007027C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 38454d5d515105d6a21060bb2a51f6b1
SHA1 3b2b952126d535dba7da979e8ef21a1b78efe974
SHA256 a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe
SHA512 cd323ff122e2087d1b578010c788e6e5816b46d09234a2e327d13337c64e8551e076a67da7139c771e839f1a13736260b9dc32f8b50c7f0f75c9da10590213ad

memory/3052-132-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3484-143-0x0000000005870000-0x0000000005BC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 db9795b78b27781872806298fa841c1e
SHA1 fe2378c7c919a59babad07d68f7024e756ed513e
SHA256 81e8223f857d69db4ed61ae135594635d46008ab9397c6f2a5785ea7ecc985df
SHA512 bffc0d982405647388f3553d420194b70f8455cea2a7fae529f260d0052b52dcaac95a4765adfc22a64412ae552e61ff6a7766a1b86989ec50af66cbfa14bd18

memory/3484-145-0x0000000005D40000-0x0000000005D8C000-memory.dmp

memory/3484-147-0x0000000070950000-0x0000000070CA4000-memory.dmp

memory/3484-157-0x0000000007020000-0x00000000070C3000-memory.dmp

memory/3484-146-0x0000000070190000-0x00000000701DC000-memory.dmp

memory/3484-158-0x00000000072A0000-0x00000000072B1000-memory.dmp

memory/3484-159-0x0000000005070000-0x0000000005084000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 84bba0802fe9325f5f6fe5299cd112d5
SHA1 53b6f320b928198c382680c64e9c9876c6a46121
SHA256 c23caa5c5a421eebc0f578f8788d1641499aa48aa300eef4d3140d070c130531
SHA512 e2648097dd6c0a6a44bc0353d27ba2736da1cc9dfca93e1191ff8a5a02101fd0fad3c1de8172bd04ca51dc1973c25dd63555f23d4da3df3d5cf3abdac6edf65b

memory/1896-171-0x0000000006720000-0x000000000676C000-memory.dmp

memory/1896-173-0x0000000070820000-0x0000000070B74000-memory.dmp

memory/1896-183-0x0000000007610000-0x00000000076B3000-memory.dmp

memory/1896-172-0x00000000700B0000-0x00000000700FC000-memory.dmp

memory/1896-184-0x0000000007930000-0x0000000007941000-memory.dmp

memory/1896-185-0x00000000061A0000-0x00000000061B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a0746ad6e178f4b7458f024067cdb105
SHA1 d0d3dc24e807d02f4f9248b7ca1deb7ba98e9954
SHA256 8abc4775edc16a0f2959985e57a47074349cb7014748317c182d6353e83b6306
SHA512 5e4980aa0caabaf0d8784a794efa446c6d774e2b17ee5fe64195bba108b07df5454b588d1d030273f687245f76d0d6de485260eed98c02ad479342ead9fb63b6

memory/4344-196-0x00000000062E0000-0x0000000006634000-memory.dmp

memory/4344-199-0x0000000070230000-0x0000000070584000-memory.dmp

memory/4344-198-0x00000000700B0000-0x00000000700FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/264-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/264-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3976-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2552-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3976-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/264-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2552-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/264-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/264-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2552-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/264-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/264-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/264-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2552-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/264-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/264-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/264-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/264-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:25

Reported

2024-05-16 15:28

Platform

win11-20240508-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\system32\cmd.exe
PID 3004 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\system32\cmd.exe
PID 3452 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3452 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3004 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\rss\csrss.exe
PID 3004 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\rss\csrss.exe
PID 3004 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe C:\Windows\rss\csrss.exe
PID 4292 wrote to memory of 3652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 3652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 3652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 4772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 4772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 4772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 5012 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4292 wrote to memory of 5012 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 468 wrote to memory of 3160 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 3160 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 3160 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3160 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3160 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3160 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe

"C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe

"C:\Users\Admin\AppData\Local\Temp\a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5fef4371-d126-4ab6-9338-2284ecb0f141.uuid.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.datadumpcloud.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.104:443 server3.datadumpcloud.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.104:443 server3.datadumpcloud.org tcp

Files

memory/3024-1-0x0000000002A20000-0x0000000002E24000-memory.dmp

memory/3024-2-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/3024-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3264-4-0x000000007492E000-0x000000007492F000-memory.dmp

memory/3264-5-0x0000000002B20000-0x0000000002B56000-memory.dmp

memory/3264-6-0x0000000074920000-0x00000000750D1000-memory.dmp

memory/3264-7-0x00000000052B0000-0x00000000058DA000-memory.dmp

memory/3264-8-0x0000000005150000-0x0000000005172000-memory.dmp

memory/3264-10-0x0000000005AF0000-0x0000000005B56000-memory.dmp

memory/3264-9-0x0000000005950000-0x00000000059B6000-memory.dmp

memory/3264-13-0x0000000074920000-0x00000000750D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yavnqq32.55y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3264-20-0x0000000005B60000-0x0000000005EB7000-memory.dmp

memory/3264-21-0x0000000006000000-0x000000000601E000-memory.dmp

memory/3264-22-0x0000000006030000-0x000000000607C000-memory.dmp

memory/3264-23-0x00000000065A0000-0x00000000065E6000-memory.dmp

memory/3264-24-0x0000000007400000-0x0000000007434000-memory.dmp

memory/3264-25-0x0000000070B90000-0x0000000070BDC000-memory.dmp

memory/3264-27-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/3264-36-0x0000000007460000-0x000000000747E000-memory.dmp

memory/3264-26-0x0000000074920000-0x00000000750D1000-memory.dmp

memory/3264-37-0x0000000007480000-0x0000000007524000-memory.dmp

memory/3264-40-0x00000000075B0000-0x00000000075CA000-memory.dmp

memory/3264-39-0x0000000007BF0000-0x000000000826A000-memory.dmp

memory/3264-38-0x0000000074920000-0x00000000750D1000-memory.dmp

memory/3264-41-0x00000000075F0000-0x00000000075FA000-memory.dmp

memory/3264-42-0x0000000007700000-0x0000000007796000-memory.dmp

memory/3264-43-0x0000000007610000-0x0000000007621000-memory.dmp

memory/3264-44-0x0000000007660000-0x000000000766E000-memory.dmp

memory/3264-45-0x0000000007670000-0x0000000007685000-memory.dmp

memory/3264-46-0x00000000076C0000-0x00000000076DA000-memory.dmp

memory/3264-47-0x00000000076E0000-0x00000000076E8000-memory.dmp

memory/3264-50-0x0000000074920000-0x00000000750D1000-memory.dmp

memory/3024-51-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3024-52-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/3004-54-0x0000000002A20000-0x0000000002E1F000-memory.dmp

memory/1516-60-0x00000000057F0000-0x0000000005B47000-memory.dmp

memory/1516-64-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

memory/1516-65-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/1516-66-0x0000000070EB0000-0x0000000071207000-memory.dmp

memory/1516-75-0x0000000006F10000-0x0000000006FB4000-memory.dmp

memory/1516-76-0x0000000007240000-0x0000000007251000-memory.dmp

memory/1516-77-0x0000000007290000-0x00000000072A5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 29bfe6de3c66c9812a14193b83904242
SHA1 ac82e70d1e54d6a24d9f7eace714a5375442f30c
SHA256 eec23d21861e8981cb83f7885a92cdc59a255043e6881ca095f08d225f911f3a
SHA512 7e2e156266233dd7f6395f15bc6714bfcdc57e7e701f632aca957af54234ecff1289fbc696d9082eb8f3b0820d4a6e235896099d36d36342eb90cceb891795c2

memory/2072-90-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/2072-91-0x0000000070EB0000-0x0000000071207000-memory.dmp

memory/2188-109-0x0000000005C00000-0x0000000005F57000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3ef56a6497f77bc2f170dc117e24eac0
SHA1 9d4ee33af1a1bdb66b9512ed6cb0374a50d1f796
SHA256 76e8d06100fc65d5e90c4b3e1f7056f816edbf44d16f28afeb543b57c405e479
SHA512 38e69c2e7af5def14d0c8878d031afa5d5a8c90a0454469401768856e5de1970000d8c435639402b7c069fb129d4cb9b24fedde9137a7f8c2366a0d3b3f9f21a

memory/2188-111-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/2188-112-0x0000000070E20000-0x0000000071177000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 38454d5d515105d6a21060bb2a51f6b1
SHA1 3b2b952126d535dba7da979e8ef21a1b78efe974
SHA256 a63b7d1d1e1190e1cffbd97c783eb30aa345d70bf9bce8764174456acaa66bfe
SHA512 cd323ff122e2087d1b578010c788e6e5816b46d09234a2e327d13337c64e8551e076a67da7139c771e839f1a13736260b9dc32f8b50c7f0f75c9da10590213ad

memory/3004-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3652-136-0x0000000005E80000-0x00000000061D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 85d13466a4b70a1fbfce5c678b8b6ba2
SHA1 0e017e56951d21c955e6425161de29c24a014f6f
SHA256 401b86d01ca018456db9162e9683c8657c218a8a2eaec7144ecd16778f5468dd
SHA512 bf18f97eae0a65c38962aa6e3c08ac9d4e71fb6b42ba7a50f4d4ef15006bc9c1e52593e61f3fbc0e9c4384649c51ed4d2e6f6250314e123a4c414cb1e793dbae

memory/3652-138-0x0000000006860000-0x00000000068AC000-memory.dmp

memory/3652-140-0x0000000070D80000-0x00000000710D7000-memory.dmp

memory/3652-139-0x0000000070C00000-0x0000000070C4C000-memory.dmp

memory/3652-149-0x0000000007570000-0x0000000007614000-memory.dmp

memory/3652-150-0x00000000078B0000-0x00000000078C1000-memory.dmp

memory/3652-151-0x0000000005D50000-0x0000000005D65000-memory.dmp

memory/4772-161-0x00000000061B0000-0x0000000006507000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fa875a5b2d5f7d0c6b19d7d25638aeb3
SHA1 c04cf9110d1d847695fb9bb0ef90f54c85968e56
SHA256 5bb315f9d12213392c71bd10afdcb547286e70cb1e617565d20200ce69c1a426
SHA512 f0cfc6c3a122ec718d263b2842d3a056d992908c06947d06348dcb2b3271af7d5925cfbe8efbcd2646a13deee1d611c37d17ae04318f8cfdc3cf5b5b28ec0d55

memory/4772-163-0x0000000006670000-0x00000000066BC000-memory.dmp

memory/4772-164-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/4772-165-0x0000000070CA0000-0x0000000070FF7000-memory.dmp

memory/4772-174-0x00000000078B0000-0x0000000007954000-memory.dmp

memory/4772-175-0x0000000007C30000-0x0000000007C41000-memory.dmp

memory/4772-176-0x00000000060E0000-0x00000000060F5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3f9a6b71201c2ce5950c055aef493425
SHA1 0d96e4e402844e8212aefb9297460dea61b6bba5
SHA256 e66169522ead29c79017c08cf80f31a0b57aa549fd5e0a62ed34e74e7d977f58
SHA512 235355e7ce8a545d47db12a97ed08771a00be9498d2b454d6d7bf559353ebe777e2d7ab883852405a093579a40339aab3f7283527850b7a129f963493bbd87fe

memory/1696-187-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/1696-188-0x0000000070CA0000-0x0000000070FF7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4292-203-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4292-204-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/468-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2500-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/468-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2500-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4292-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4292-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4292-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2500-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4292-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4292-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4292-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4292-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4292-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4292-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4292-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4292-234-0x0000000000400000-0x0000000000D1C000-memory.dmp