Malware Analysis Report

2024-12-08 02:20

Sample ID 240516-tb5blaca6v
Target 88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66
SHA256 88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66

Threat Level: Known bad

The file 88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:53

Reported

2024-05-16 15:56

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 652 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 652 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 652 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\system32\cmd.exe
PID 3484 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\system32\cmd.exe
PID 4876 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4876 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3484 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\rss\csrss.exe
PID 3484 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\rss\csrss.exe
PID 3484 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\rss\csrss.exe
PID 3008 wrote to memory of 2148 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 2148 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 2148 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 4512 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 4512 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 4512 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 2044 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 2044 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 2044 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 2428 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3008 wrote to memory of 2428 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4568 wrote to memory of 2076 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 2076 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 2076 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2076 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2076 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe

"C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe

"C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.90:443 www.bing.com tcp
US 8.8.8.8:53 90.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.177:443 www.bing.com tcp
US 8.8.8.8:53 177.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 dc732153-11d2-4e15-b56c-3a53cef99afa.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server1.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun3.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/652-1-0x0000000002920000-0x0000000002D28000-memory.dmp

memory/652-2-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/652-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4320-4-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

memory/4320-5-0x0000000002B00000-0x0000000002B36000-memory.dmp

memory/4320-6-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4320-7-0x00000000051F0000-0x0000000005818000-memory.dmp

memory/4320-8-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4320-9-0x0000000005850000-0x0000000005872000-memory.dmp

memory/4320-11-0x0000000005A60000-0x0000000005AC6000-memory.dmp

memory/4320-10-0x00000000059F0000-0x0000000005A56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_csa1a4yd.evn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4320-21-0x0000000005AD0000-0x0000000005E24000-memory.dmp

memory/4320-22-0x0000000006090000-0x00000000060AE000-memory.dmp

memory/4320-23-0x00000000060D0000-0x000000000611C000-memory.dmp

memory/4320-24-0x0000000006640000-0x0000000006684000-memory.dmp

memory/4320-25-0x00000000071D0000-0x0000000007246000-memory.dmp

memory/4320-26-0x00000000078D0000-0x0000000007F4A000-memory.dmp

memory/4320-27-0x0000000007270000-0x000000000728A000-memory.dmp

memory/4320-29-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/4320-30-0x0000000071080000-0x00000000713D4000-memory.dmp

memory/4320-28-0x0000000007630000-0x0000000007662000-memory.dmp

memory/4320-40-0x0000000007670000-0x000000000768E000-memory.dmp

memory/4320-41-0x0000000007690000-0x0000000007733000-memory.dmp

memory/4320-42-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4320-44-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4320-43-0x0000000007780000-0x000000000778A000-memory.dmp

memory/4320-45-0x0000000007F50000-0x0000000007FE6000-memory.dmp

memory/4320-46-0x00000000077A0000-0x00000000077B1000-memory.dmp

memory/4320-47-0x00000000077E0000-0x00000000077EE000-memory.dmp

memory/4320-48-0x00000000077F0000-0x0000000007804000-memory.dmp

memory/4320-49-0x0000000007840000-0x000000000785A000-memory.dmp

memory/4320-50-0x0000000007830000-0x0000000007838000-memory.dmp

memory/4320-53-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/3484-55-0x0000000002920000-0x0000000002D19000-memory.dmp

memory/3484-56-0x0000000002D20000-0x000000000360B000-memory.dmp

memory/1128-57-0x0000000005AE0000-0x0000000005E34000-memory.dmp

memory/1128-68-0x0000000071400000-0x0000000071754000-memory.dmp

memory/1128-67-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/1128-78-0x0000000007320000-0x00000000073C3000-memory.dmp

memory/1128-79-0x0000000007640000-0x0000000007651000-memory.dmp

memory/1128-80-0x0000000007690000-0x00000000076A4000-memory.dmp

memory/652-84-0x0000000002920000-0x0000000002D28000-memory.dmp

memory/652-83-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 93c7e58b5930d34fdbb50fbe80058721
SHA1 d20bf995e3fb919356d9492874f0f8a32233a9d0
SHA256 a16b9972da92cf6551b1b37894e0b9c74d98c9537df0b9c3d2b55cec35e5bced
SHA512 48f70d58fc7e9c1f3897c378c45b565834cf7e0b5303c634f3b37b8845e3cc5d19e21b28952e9e92d929bb9444a59421a43f2b24485400b9016fdd11370426ef

memory/1536-96-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/1536-97-0x0000000071400000-0x0000000071754000-memory.dmp

memory/652-117-0x0000000002D30000-0x000000000361B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5ff02c83ba4b0657414bc5cafa33790e
SHA1 734fab35293df0a5b29924f4eec114179779785f
SHA256 322c5ffa8fb7974f74f06b74d62f20035b0b6d13e0976a068b859ba25f7af1f9
SHA512 e696006f1fa363c3367022d32eb7492c5953de18dda35b7fa9b44bdc58d0ee97183de3cefb76f093b6acb2094ddda67d5d42f16389bce2f8a66c8be28104750e

memory/2080-119-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/2080-120-0x0000000071400000-0x0000000071754000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7360de6ccb3bf2dedd7c45f46723f579
SHA1 3cb86d7af0ba6ba6ae33feb6a4f3bb68c0e1f1a9
SHA256 88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66
SHA512 1793f8bd58e45a57feebeaca1f88df336baf58f1f878828b343323c4402f981504620c45b3228b91b7dbd2fe3d0232722f0333cb9c257cd18fb56659b887c72a

memory/3484-134-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1d9f8029b6ff21f3229e61e7725e52cd
SHA1 fa966270bad97525170de458c2c54abd00c2292e
SHA256 7a3c57f20cb87b00c49a6a33296ef2088ae0ed4d55abd2c012d783a33f9e17ac
SHA512 b96dca6560502f74b1a2251c1d1943e912888923636f87df896fd9970cefd673e265879a32fcd81a805de988f9e90c606df3a5f6076ca24ceda22053cdc0223a

memory/2148-147-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/2148-148-0x0000000071400000-0x0000000071754000-memory.dmp

memory/4512-169-0x0000000005A90000-0x0000000005DE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 32c1c7a790afe6f4f3b2921f8c8b3102
SHA1 e490e61e0dd06aee8f7c62533c7ca6d9d80a1335
SHA256 386f8080883c789b95349cb31053e3b2b7998e2f340f916eb527596b649f10c0
SHA512 3cf5d84ac1150e65058f11ad7a4d02f659d1ba71782c786ea890d2ce1204358554140d5440159ef8981864f3eb3b7396e4e7b7add47435aac17999d945f6601b

memory/4512-171-0x0000000006060000-0x00000000060AC000-memory.dmp

memory/4512-172-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

memory/4512-173-0x0000000070D20000-0x0000000071074000-memory.dmp

memory/4512-183-0x0000000007110000-0x00000000071B3000-memory.dmp

memory/4512-184-0x0000000007490000-0x00000000074A1000-memory.dmp

memory/4512-185-0x0000000005900000-0x0000000005914000-memory.dmp

memory/2044-192-0x0000000006050000-0x00000000063A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e8ec7b7dc5d048948341180273f04c07
SHA1 38326a306e8593b75be4126adb5be98b7745e32e
SHA256 b8742bb6a9837df52e4a400b30aa200fb27a39787579e7fa23be3f7abb178fcc
SHA512 b225bbe8acad4c978c71bc5bfb39193c816382023793f2c776c68d08ffc598ea6dd94afca67706b26e98cc23c60ee5c8c763cf16ba1482fcb5841cfc202c8722

memory/2044-199-0x0000000071330000-0x0000000071684000-memory.dmp

memory/2044-198-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

memory/3008-209-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4568-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3008-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2132-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4568-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3008-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2132-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3008-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3008-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2132-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3008-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3008-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3008-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3008-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3008-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3008-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3008-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3008-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:53

Reported

2024-05-16 15:56

Platform

win11-20240426-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\system32\cmd.exe
PID 5008 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5008 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2368 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\rss\csrss.exe
PID 2368 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\rss\csrss.exe
PID 2368 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe C:\Windows\rss\csrss.exe
PID 3264 wrote to memory of 1128 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 1128 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 1128 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 1372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 1372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 1372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 1256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 1256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 1256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 2456 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3264 wrote to memory of 2456 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4644 wrote to memory of 1636 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 1636 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 1636 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1636 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1636 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe

"C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe

"C:\Users\Admin\AppData\Local\Temp\88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 9734f2c3-5e13-47e0-83f4-e4cbf5e98ec0.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server6.thestatsfiles.ru udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server6.thestatsfiles.ru tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server6.thestatsfiles.ru tcp
BG 185.82.216.96:443 server6.thestatsfiles.ru tcp

Files

memory/1968-1-0x0000000002A50000-0x0000000002E4C000-memory.dmp

memory/1968-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1968-2-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/4828-4-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

memory/4828-5-0x0000000003070000-0x00000000030A6000-memory.dmp

memory/4828-6-0x0000000005980000-0x0000000005FAA000-memory.dmp

memory/4828-7-0x0000000074D40000-0x00000000754F1000-memory.dmp

memory/4828-8-0x00000000058A0000-0x00000000058C2000-memory.dmp

memory/4828-10-0x0000000006020000-0x0000000006086000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5udumez.i2a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4828-19-0x0000000074D40000-0x00000000754F1000-memory.dmp

memory/4828-9-0x0000000005FB0000-0x0000000006016000-memory.dmp

memory/4828-20-0x0000000006090000-0x00000000063E7000-memory.dmp

memory/4828-21-0x0000000006550000-0x000000000656E000-memory.dmp

memory/4828-22-0x00000000065A0000-0x00000000065EC000-memory.dmp

memory/4828-23-0x0000000006A70000-0x0000000006AB6000-memory.dmp

memory/4828-24-0x0000000007980000-0x00000000079B4000-memory.dmp

memory/4828-26-0x0000000074D40000-0x00000000754F1000-memory.dmp

memory/4828-27-0x0000000071130000-0x0000000071487000-memory.dmp

memory/4828-25-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

memory/4828-37-0x00000000079E0000-0x0000000007A84000-memory.dmp

memory/4828-36-0x00000000079C0000-0x00000000079DE000-memory.dmp

memory/4828-38-0x0000000074D40000-0x00000000754F1000-memory.dmp

memory/4828-40-0x0000000007B00000-0x0000000007B1A000-memory.dmp

memory/4828-39-0x0000000008150000-0x00000000087CA000-memory.dmp

memory/4828-41-0x0000000007B40000-0x0000000007B4A000-memory.dmp

memory/4828-42-0x0000000007C50000-0x0000000007CE6000-memory.dmp

memory/4828-43-0x0000000007B60000-0x0000000007B71000-memory.dmp

memory/4828-44-0x0000000007BB0000-0x0000000007BBE000-memory.dmp

memory/4828-45-0x0000000007BC0000-0x0000000007BD5000-memory.dmp

memory/4828-46-0x0000000007C10000-0x0000000007C2A000-memory.dmp

memory/4828-47-0x0000000007C30000-0x0000000007C38000-memory.dmp

memory/4828-50-0x0000000074D40000-0x00000000754F1000-memory.dmp

memory/1968-52-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1968-53-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/2368-55-0x0000000002A20000-0x0000000002E1A000-memory.dmp

memory/4320-64-0x0000000006280000-0x00000000065D7000-memory.dmp

memory/4320-65-0x0000000006C00000-0x0000000006C4C000-memory.dmp

memory/4320-66-0x00000000710C0000-0x000000007110C000-memory.dmp

memory/4320-67-0x0000000071310000-0x0000000071667000-memory.dmp

memory/4320-76-0x0000000007A00000-0x0000000007AA4000-memory.dmp

memory/4320-77-0x0000000007D40000-0x0000000007D51000-memory.dmp

memory/4320-78-0x0000000007D90000-0x0000000007DA5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6d87b4c052b4b48018c3825a15f84bee
SHA1 bf27b91dd9bceb39b01b6714cc23fb82a7e1f8c4
SHA256 114eeac0915ce1ad9c98e0052d95cc58afba79272a090346d89674bc2add755c
SHA512 94a5ac91a9e577f9da9e9ffedf0613bf0ca393c395e6f27f49778b2c0523bbc11061d254a596f6435008a8d0cb6bc76201d80a1e708ed9b09d43c266d1d966e6

memory/3252-91-0x00000000710C0000-0x000000007110C000-memory.dmp

memory/3252-92-0x0000000071310000-0x0000000071667000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7eb6969a1024bb6f5ef1522c01004a5e
SHA1 825de619bd90fe736388554c3ca561273c4f8070
SHA256 740480ae74cfcdca30342d2512697926e6685ad59e432ab137c18f58753de7a4
SHA512 8b13e3555565188d137add50eab13007459c953eac9d247c309cfff21703bf331c508ebb4d57030e3cb84f459738c9fce65f5a907e051a2dda4f4690e329a0ac

memory/2792-111-0x00000000710C0000-0x000000007110C000-memory.dmp

memory/2792-112-0x0000000071310000-0x0000000071667000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7360de6ccb3bf2dedd7c45f46723f579
SHA1 3cb86d7af0ba6ba6ae33feb6a4f3bb68c0e1f1a9
SHA256 88a4b8daf7c17f7319b88f8b67acbc72b5cb228e82892a0be110e964d11e0f66
SHA512 1793f8bd58e45a57feebeaca1f88df336baf58f1f878828b343323c4402f981504620c45b3228b91b7dbd2fe3d0232722f0333cb9c257cd18fb56659b887c72a

memory/2368-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1128-136-0x00000000059E0000-0x0000000005D37000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d088a51ea72f4fc3022cc527635fc7e6
SHA1 47d27c545bf17121e1fa0a6755288a66f7afa773
SHA256 a3a227daf0bf497421650de7ed0becfb7cf72089805cda40a92ac3f51e024f70
SHA512 d8bb6623c972badb8e7e3cc24528f10fed38379e278cd948b82f7c5555882ee82c774e297bb4d48a5f65563bca01db7ffbd0d3468abd248811230e50e4221b74

memory/1128-138-0x0000000006410000-0x000000000645C000-memory.dmp

memory/1128-139-0x0000000071020000-0x000000007106C000-memory.dmp

memory/1128-140-0x00000000711A0000-0x00000000714F7000-memory.dmp

memory/1128-149-0x0000000007100000-0x00000000071A4000-memory.dmp

memory/1128-150-0x0000000007440000-0x0000000007451000-memory.dmp

memory/1128-151-0x0000000005930000-0x0000000005945000-memory.dmp

memory/1372-161-0x0000000005B40000-0x0000000005E97000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 65262712fbd45a0fa6ba878b78b7ab1a
SHA1 8c15330835733d322d9184ad2583f726e1e3dd75
SHA256 0059e9412d23a17dabd14dafe4d340dd15d0690389d38dd1a83b48321225987b
SHA512 dda8c040dfbbfe8da8115c500bd819f40bb8d9e5e9bb06d4ce35c8eab9b5ee6fbc3dddf314b0ebfe3a69dc39111c14c1626155ac861133c77429f8528c67479a

memory/1372-163-0x00000000062E0000-0x000000000632C000-memory.dmp

memory/1372-164-0x0000000070F40000-0x0000000070F8C000-memory.dmp

memory/1372-165-0x00000000710E0000-0x0000000071437000-memory.dmp

memory/1372-174-0x0000000007270000-0x0000000007314000-memory.dmp

memory/1372-175-0x0000000007430000-0x0000000007441000-memory.dmp

memory/1372-176-0x0000000005A30000-0x0000000005A45000-memory.dmp

memory/1256-186-0x0000000005580000-0x00000000058D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 222ba0faf0701409120b7f6efc4f78c5
SHA1 ddc43307926921973de37755e8b6838b57c1f9b7
SHA256 8e65d54e894cc494becfcb7800285dd33fe9e2a464308e28b423d7eac38f7207
SHA512 7d84b866bc92fafabe7b3cc51d6e803c3841432e219a889fa27d6f839003efdf5237a59d97dfd2dd02a62cf88315f59dbd0bcc1301b9d4bad82ee616f29915f5

memory/1256-188-0x0000000070F40000-0x0000000070F8C000-memory.dmp

memory/1256-189-0x0000000071190000-0x00000000714E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3264-204-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4644-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5008-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4644-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3264-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5008-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3264-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3264-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5008-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3264-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3264-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3264-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3264-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3264-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3264-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3264-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3264-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3264-236-0x0000000000400000-0x0000000000D1C000-memory.dmp