Malware Analysis Report

2024-12-08 02:19

Sample ID 240516-tbwz8aca5t
Target 62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352
SHA256 62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352

Threat Level: Known bad

The file 62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:53

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:53

Reported

2024-05-16 15:56

Platform

win11-20240426-en

Max time kernel

149s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3084 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\system32\cmd.exe
PID 1408 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\system32\cmd.exe
PID 3464 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3464 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1408 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\rss\csrss.exe
PID 1408 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\rss\csrss.exe
PID 1408 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\rss\csrss.exe
PID 3920 wrote to memory of 2300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3920 wrote to memory of 2300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3920 wrote to memory of 2300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3920 wrote to memory of 2708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3920 wrote to memory of 2708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3920 wrote to memory of 2708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3920 wrote to memory of 1700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3920 wrote to memory of 1700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3920 wrote to memory of 1700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3920 wrote to memory of 1992 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3920 wrote to memory of 1992 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1968 wrote to memory of 3480 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 3480 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 3480 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3480 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3480 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3480 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe

"C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe

"C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 d1b2719d-c21f-4d31-ac2a-bec22dd8eb74.uuid.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server7.datadumpcloud.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server7.datadumpcloud.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.104:443 server7.datadumpcloud.org tcp
BG 185.82.216.104:443 server7.datadumpcloud.org tcp

Files

memory/3084-1-0x0000000002A20000-0x0000000002E1D000-memory.dmp

memory/3084-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/3084-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3328-4-0x000000007420E000-0x000000007420F000-memory.dmp

memory/3328-5-0x00000000031B0000-0x00000000031E6000-memory.dmp

memory/3328-6-0x0000000005910000-0x0000000005F3A000-memory.dmp

memory/3328-7-0x0000000074200000-0x00000000749B1000-memory.dmp

memory/3328-8-0x00000000057E0000-0x0000000005802000-memory.dmp

memory/3328-10-0x0000000005FB0000-0x0000000006016000-memory.dmp

memory/3328-11-0x0000000006120000-0x0000000006186000-memory.dmp

memory/3328-9-0x0000000074200000-0x00000000749B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nsfrwbj0.4in.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3328-20-0x0000000006190000-0x00000000064E7000-memory.dmp

memory/3328-21-0x0000000006690000-0x00000000066AE000-memory.dmp

memory/3328-22-0x00000000066C0000-0x000000000670C000-memory.dmp

memory/3328-23-0x0000000007660000-0x00000000076A6000-memory.dmp

memory/3328-24-0x0000000007AB0000-0x0000000007AE4000-memory.dmp

memory/3328-26-0x0000000074200000-0x00000000749B1000-memory.dmp

memory/3328-25-0x0000000070470000-0x00000000704BC000-memory.dmp

memory/3328-27-0x0000000070680000-0x00000000709D7000-memory.dmp

memory/3328-36-0x0000000007AF0000-0x0000000007B0E000-memory.dmp

memory/3328-37-0x0000000007B10000-0x0000000007BB4000-memory.dmp

memory/3328-38-0x0000000074200000-0x00000000749B1000-memory.dmp

memory/3328-39-0x0000000008280000-0x00000000088FA000-memory.dmp

memory/3328-40-0x0000000007C40000-0x0000000007C5A000-memory.dmp

memory/3328-41-0x0000000007C80000-0x0000000007C8A000-memory.dmp

memory/3328-42-0x0000000007D40000-0x0000000007DD6000-memory.dmp

memory/3328-43-0x0000000007CB0000-0x0000000007CC1000-memory.dmp

memory/3328-44-0x0000000007CF0000-0x0000000007CFE000-memory.dmp

memory/3328-45-0x0000000007D00000-0x0000000007D15000-memory.dmp

memory/3328-46-0x0000000007E00000-0x0000000007E1A000-memory.dmp

memory/3328-47-0x0000000007DE0000-0x0000000007DE8000-memory.dmp

memory/3328-50-0x0000000074200000-0x00000000749B1000-memory.dmp

memory/1408-52-0x0000000002A20000-0x0000000002E27000-memory.dmp

memory/1896-61-0x0000000006210000-0x0000000006567000-memory.dmp

memory/1896-62-0x0000000070470000-0x00000000704BC000-memory.dmp

memory/1896-63-0x00000000706C0000-0x0000000070A17000-memory.dmp

memory/1896-72-0x0000000007930000-0x00000000079D4000-memory.dmp

memory/1896-73-0x0000000007C60000-0x0000000007C71000-memory.dmp

memory/3084-74-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3084-75-0x0000000002A20000-0x0000000002E1D000-memory.dmp

memory/3084-76-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/1896-77-0x0000000007CB0000-0x0000000007CC5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cbd99945b2373c39b5bd2ee8c4e10971
SHA1 79c84fa022159c7bbd38378f15189f83771b5ce7
SHA256 e4a6e1ecbe2a2b05daa1573ad5e22f04797f835bb71353b8e1d3fcccabc8bca9
SHA512 37e67f0083168ef027fbf6f69467bec101676c976e48fa77f69e7f10f7d87f92a3e54f5176ec99950efd5b2fb575bbd841d0b2caf7257aa0264b130374398563

memory/4568-90-0x0000000070470000-0x00000000704BC000-memory.dmp

memory/4568-91-0x00000000706C0000-0x0000000070A17000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f36fce50e79f692ba387fd3043b71e2e
SHA1 6911303260065d00499839bd4cd282ee58523af7
SHA256 b21e7e16d108b9b83e5d0ae5c5c75c3b26e2ab89a1d8ba6d5ccafcc847e91ddb
SHA512 2853067db7733bd301b63bca4b77cf586a66b323e88aa7b36a8c19cfba9379cf94238a302e7218d4c7ef6ce39be3e474a5d953655f98a21f27472027f3568b99

memory/4436-110-0x0000000070470000-0x00000000704BC000-memory.dmp

memory/4436-111-0x00000000706C0000-0x0000000070A17000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 e5f21dfe7c1d6eab0c93bac080c6674b
SHA1 88671714866ac7cff019780883be458f4e1a3e27
SHA256 62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352
SHA512 c935a1382cb3ad7e3df13e6e5f35d8593cc5ddbf33b160a4f16bc9d8b56d54237531124155d72a4110c60a350620ec23217dd653633a58a75155a4448a047e2c

memory/1408-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0e8a21e1f4400b72dec400d4dc9a452b
SHA1 c8ac908d2d51f71ff4d8fcde4460e5db081f44b6
SHA256 9efe78efc0405697ce727b2f5651f3c9058c1f394ad14edfaf02a1e8ec944797
SHA512 b1015c3a247c7b9443b646ebfef3d015080215d4a7902ef4601b2a67aa3efa44ab82f65771106861f161d6fcae75edfb268bf28fc40a59879b3c44b10261029c

memory/2300-136-0x0000000070470000-0x00000000704BC000-memory.dmp

memory/2300-137-0x0000000070680000-0x00000000709D7000-memory.dmp

memory/2708-155-0x0000000006130000-0x0000000006487000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d5b65415b77e8ad2959f46a7f7aa7976
SHA1 ddebfbc581f1696d2ec190f9ec095ef1bc0c8d6d
SHA256 7bf937181f07e0b458679fdf5514d85e471384fe5df42bda5a8dd70fb4f54b44
SHA512 e8e59fdcb189e4d6f5f8438ea0d14c8a6da195fb5f69eb58b71eee29aed4d700d085e043517e7dbf83cf80fb8070c073ea338453a945f75236eb943a58f713d7

memory/2708-158-0x0000000006770000-0x00000000067BC000-memory.dmp

memory/2708-159-0x0000000070390000-0x00000000703DC000-memory.dmp

memory/2708-160-0x0000000070530000-0x0000000070887000-memory.dmp

memory/2708-169-0x00000000079C0000-0x0000000007A64000-memory.dmp

memory/2708-170-0x0000000007D00000-0x0000000007D11000-memory.dmp

memory/2708-171-0x0000000006550000-0x0000000006565000-memory.dmp

memory/1700-181-0x00000000063D0000-0x0000000006727000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 979c8b9a36d384d3279b282db52dfc9e
SHA1 990537ad20db63ce2845618dbf300fe862acf38f
SHA256 04ef9a4d246d45f8e6795595c236cf81241fa0fd44d0159f71782496c96968f9
SHA512 8680b81d659ac5dee19e7a65a0149e1d2011933d48d625a9cff1542f9448670ce04eff5b2443e775deaca2d7705c79109fcdd92123b90058e5debbd00c48c0bb

memory/1700-183-0x0000000070390000-0x00000000703DC000-memory.dmp

memory/1700-184-0x00000000705E0000-0x0000000070937000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3920-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1408-202-0x0000000002A20000-0x0000000002E27000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1968-206-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2352-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1968-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3920-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2352-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3920-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3920-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2352-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3920-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3920-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3920-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3920-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3920-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3920-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3920-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3920-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3920-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:53

Reported

2024-05-16 15:56

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4820 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4820 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4820 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\system32\cmd.exe
PID 1544 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\system32\cmd.exe
PID 5108 wrote to memory of 4436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5108 wrote to memory of 4436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1544 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\rss\csrss.exe
PID 1544 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\rss\csrss.exe
PID 1544 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe C:\Windows\rss\csrss.exe
PID 2344 wrote to memory of 4476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 4476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 4476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 3368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 3368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 3368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 1068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 1068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 1068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 448 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2344 wrote to memory of 448 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4680 wrote to memory of 1412 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 1412 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 1412 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1412 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1412 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe

"C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe

"C:\Users\Admin\AppData\Local\Temp\62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.176:443 www.bing.com tcp
US 8.8.8.8:53 176.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 34c80c85-2066-40e9-a4ba-7d4ca7601504.uuid.datadumpcloud.org udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server4.datadumpcloud.org udp
US 3.33.249.248:3478 stun.sipgate.net udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server4.datadumpcloud.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.104:443 server4.datadumpcloud.org tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
BG 185.82.216.104:443 server4.datadumpcloud.org tcp

Files

memory/4820-1-0x0000000002970000-0x0000000002D75000-memory.dmp

memory/4820-2-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/4820-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2564-4-0x00000000003B0000-0x000000000041D000-memory.dmp

memory/2564-5-0x00000000048C0000-0x00000000048F6000-memory.dmp

memory/2564-6-0x0000000004F30000-0x0000000005558000-memory.dmp

memory/2564-7-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

memory/2564-8-0x00000000056D0000-0x0000000005736000-memory.dmp

memory/2564-9-0x0000000005740000-0x00000000057A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ulb2znb1.ino.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2564-19-0x0000000005C90000-0x0000000005FE4000-memory.dmp

memory/2564-20-0x0000000005A10000-0x0000000005A2E000-memory.dmp

memory/2564-21-0x0000000005A70000-0x0000000005ABC000-memory.dmp

memory/2564-22-0x00000000063E0000-0x0000000006424000-memory.dmp

memory/2564-23-0x00000000071A0000-0x0000000007216000-memory.dmp

memory/2564-24-0x00000000078A0000-0x0000000007F1A000-memory.dmp

memory/2564-25-0x0000000007240000-0x000000000725A000-memory.dmp

memory/2564-26-0x0000000007400000-0x0000000007432000-memory.dmp

memory/2564-27-0x0000000070B90000-0x0000000070BDC000-memory.dmp

memory/2564-28-0x0000000070D10000-0x0000000071064000-memory.dmp

memory/2564-38-0x0000000007440000-0x000000000745E000-memory.dmp

memory/2564-39-0x0000000007460000-0x0000000007503000-memory.dmp

memory/2564-40-0x0000000007550000-0x000000000755A000-memory.dmp

memory/2564-41-0x0000000007660000-0x00000000076F6000-memory.dmp

memory/2564-42-0x0000000007560000-0x0000000007571000-memory.dmp

memory/2564-43-0x00000000075A0000-0x00000000075AE000-memory.dmp

memory/2564-44-0x00000000075C0000-0x00000000075D4000-memory.dmp

memory/2564-45-0x0000000007610000-0x000000000762A000-memory.dmp

memory/2564-46-0x0000000007600000-0x0000000007608000-memory.dmp

memory/2564-49-0x00000000003B0000-0x000000000041D000-memory.dmp

memory/4820-50-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4820-51-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/1544-53-0x00000000029A0000-0x0000000002DA4000-memory.dmp

memory/1544-54-0x0000000002DB0000-0x000000000369B000-memory.dmp

memory/4472-64-0x0000000005E20000-0x0000000006174000-memory.dmp

memory/4472-65-0x0000000006430000-0x000000000647C000-memory.dmp

memory/4472-66-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/4472-67-0x00000000710B0000-0x0000000071404000-memory.dmp

memory/4472-77-0x00000000075E0000-0x0000000007683000-memory.dmp

memory/4472-78-0x00000000078E0000-0x00000000078F1000-memory.dmp

memory/4472-79-0x0000000007930000-0x0000000007944000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3104-88-0x0000000005B20000-0x0000000005E74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 76e3a4917c0fb2cdf9393f7808d54c69
SHA1 277b7249605b01661035058977c0999573aca278
SHA256 08972feb1153c383df63c656245203b5045c057431c75e8471765e7dcb2d7ec5
SHA512 c8590abba60150d64ae99570b156f8cfcbd376e2df5b59b3cbf7d284bfaf212ab2f80e6b760b25d09eefae5896bedab72a2538bd5c686247191fa3d418fdb65b

memory/3104-94-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/3104-95-0x0000000071430000-0x0000000071784000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 113e8f597c44eb1d8a0a32ea7725217c
SHA1 1b68434af8d5fd4f7358b647e906894834d9f937
SHA256 137b42a208c73358d60b7eb2a478d53f53ed661ea995198df7c99db0bd965d96
SHA512 9946e802c9b1465ec5a9969126770af61680036875d057cf4e2430420ffc3323a1866bed389bf6ba1b78f97677c38b27a091006a9dd0166d89c3958af8cfe249

memory/1620-116-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/1620-117-0x0000000071430000-0x0000000071784000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 e5f21dfe7c1d6eab0c93bac080c6674b
SHA1 88671714866ac7cff019780883be458f4e1a3e27
SHA256 62d47d3de8bda4690f7b0fc6d22bca6f96337b50148dcc7d17a762556bb51352
SHA512 c935a1382cb3ad7e3df13e6e5f35d8593cc5ddbf33b160a4f16bc9d8b56d54237531124155d72a4110c60a350620ec23217dd653633a58a75155a4448a047e2c

memory/1544-131-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4476-134-0x0000000006380000-0x00000000066D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 575ae029c98cc2186095a4bf58104376
SHA1 b3baa12f67b0d0f0039c3fb00a2848437de80855
SHA256 2194182c314423a72a2008d08ca2a8214e086c1ff4735476074e27c1e308a1f3
SHA512 ab2f8ce4f31e55a10009f86753fd3364de8b8cbaff6d13aefa6ef55e6fa06ae411f62b9e29e0d0c54d87db99db0cbe313d181232c8847c5a03f76c60d160b85b

memory/4476-145-0x0000000006A30000-0x0000000006A7C000-memory.dmp

memory/4476-146-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/4476-147-0x0000000071390000-0x00000000716E4000-memory.dmp

memory/4476-157-0x0000000007CC0000-0x0000000007D63000-memory.dmp

memory/4476-158-0x0000000007F70000-0x0000000007F81000-memory.dmp

memory/4476-159-0x0000000006810000-0x0000000006824000-memory.dmp

memory/3368-161-0x0000000006340000-0x0000000006694000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 54cd19fc52be94dcddba92adc000a173
SHA1 d292dcbb513617a9e892906ed0a88d5548b711d4
SHA256 2c65e5a0676d47500b458e2440a2c890c61650ce5d024a1fe04cc3c88be2dfd2
SHA512 84bb76aaa8ab9bd19a351e1152edb9228265c0eaa4e676be4738efc43ba0f47f7ff0f222753e0b1749787b03fe0330c46c672f440e34beaca6ece62db6293ddb

memory/3368-172-0x0000000006F20000-0x0000000006F6C000-memory.dmp

memory/3368-173-0x0000000070B10000-0x0000000070B5C000-memory.dmp

memory/3368-174-0x00000000712A0000-0x00000000715F4000-memory.dmp

memory/3368-184-0x0000000007C50000-0x0000000007CF3000-memory.dmp

memory/3368-185-0x0000000007F70000-0x0000000007F81000-memory.dmp

memory/3368-186-0x00000000067E0000-0x00000000067F4000-memory.dmp

memory/1068-197-0x0000000005D40000-0x0000000006094000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 34887d6335b6c0f84d126184b60e15fc
SHA1 b4e3678f1177b37192a6bbcad75d4dc49cac5f32
SHA256 bd4397dc37fb132093f3600d1e64097688ba485c7015cafe04b843a3ecc1bb3b
SHA512 76dfc3036a173858c4d5ea66a754bc3c337a2e06fd2807dc4be38e1d3b3cdf5ca5ea4419aa6e376191edb83a08f7ed42d2d7c51a479d820b69559ef508e1c272

memory/1068-199-0x0000000070B10000-0x0000000070B5C000-memory.dmp

memory/1068-200-0x0000000070CB0000-0x0000000071004000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2344-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4680-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4680-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2344-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4772-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2344-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2344-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4772-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2344-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2344-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2344-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2344-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2344-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2344-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2344-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2344-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2344-247-0x0000000000400000-0x0000000000D1C000-memory.dmp