Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-fpm3ksaf97
Target fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c
SHA256 fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c

Threat Level: Known bad

The file fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 05:03

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 05:02

Reported

2024-05-17 05:05

Platform

win11-20240508-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\system32\cmd.exe
PID 5080 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\system32\cmd.exe
PID 1336 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1336 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5080 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\rss\csrss.exe
PID 5080 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\rss\csrss.exe
PID 5080 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\rss\csrss.exe
PID 3444 wrote to memory of 1872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 1872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 1872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 4972 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 4972 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 4972 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 2620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 2620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 2620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 3836 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3444 wrote to memory of 3836 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 688 wrote to memory of 924 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 688 wrote to memory of 924 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 688 wrote to memory of 924 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 924 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 924 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe

"C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe

"C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 3d1a95ba-e8ab-4055-8dca-7747e2f3f1cd.uuid.theupdatetime.org udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server15.theupdatetime.org udp
US 74.125.250.129:19302 stun3.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server15.theupdatetime.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
BG 185.82.216.108:443 server15.theupdatetime.org tcp
US 52.111.227.14:443 tcp
BG 185.82.216.108:443 server15.theupdatetime.org tcp

Files

memory/4648-1-0x0000000004740000-0x0000000004B3C000-memory.dmp

memory/4648-2-0x0000000004C40000-0x000000000552B000-memory.dmp

memory/4648-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4236-4-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

memory/4236-5-0x0000000004CF0000-0x0000000004D26000-memory.dmp

memory/4236-7-0x00000000054B0000-0x0000000005ADA000-memory.dmp

memory/4236-6-0x0000000074AD0000-0x0000000075281000-memory.dmp

memory/4236-8-0x0000000005200000-0x0000000005222000-memory.dmp

memory/4236-10-0x0000000005B50000-0x0000000005BB6000-memory.dmp

memory/4236-11-0x0000000074AD0000-0x0000000075281000-memory.dmp

memory/4236-9-0x0000000005AE0000-0x0000000005B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3ldstez.lsv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4236-20-0x0000000005CC0000-0x0000000006017000-memory.dmp

memory/4236-21-0x00000000061A0000-0x00000000061BE000-memory.dmp

memory/4236-22-0x00000000061D0000-0x000000000621C000-memory.dmp

memory/4236-23-0x0000000006740000-0x0000000006786000-memory.dmp

memory/4236-25-0x00000000075B0000-0x00000000075E4000-memory.dmp

memory/4236-26-0x0000000070D40000-0x0000000070D8C000-memory.dmp

memory/4236-37-0x0000000007630000-0x00000000076D4000-memory.dmp

memory/4236-36-0x0000000007610000-0x000000000762E000-memory.dmp

memory/4236-38-0x0000000074AD0000-0x0000000075281000-memory.dmp

memory/4648-24-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4236-27-0x0000000070F90000-0x00000000712E7000-memory.dmp

memory/4236-39-0x0000000007DA0000-0x000000000841A000-memory.dmp

memory/4236-40-0x0000000007760000-0x000000000777A000-memory.dmp

memory/4236-41-0x00000000077A0000-0x00000000077AA000-memory.dmp

memory/4236-42-0x0000000007860000-0x00000000078F6000-memory.dmp

memory/4236-43-0x00000000077D0000-0x00000000077E1000-memory.dmp

memory/4236-44-0x0000000007810000-0x000000000781E000-memory.dmp

memory/4236-45-0x0000000007820000-0x0000000007835000-memory.dmp

memory/4236-46-0x0000000007920000-0x000000000793A000-memory.dmp

memory/4236-47-0x0000000007900000-0x0000000007908000-memory.dmp

memory/4236-50-0x0000000074AD0000-0x0000000075281000-memory.dmp

memory/4648-52-0x0000000004740000-0x0000000004B3C000-memory.dmp

memory/4648-53-0x0000000004C40000-0x000000000552B000-memory.dmp

memory/4648-54-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/768-63-0x0000000070D40000-0x0000000070D8C000-memory.dmp

memory/768-64-0x0000000070F90000-0x00000000712E7000-memory.dmp

memory/768-73-0x00000000075C0000-0x0000000007664000-memory.dmp

memory/768-74-0x00000000078E0000-0x00000000078F1000-memory.dmp

memory/4648-75-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/768-76-0x0000000007930000-0x0000000007945000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/1048-88-0x0000000005620000-0x0000000005977000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2837b40f3052851a4a1d332764c248af
SHA1 3673fbe910ed993d9ddebf63b76e79107b303079
SHA256 09af9e15e0b839c5294f71c8ee98f72be0050f1b2459860b6fa52efef12dee52
SHA512 570ee6b1d0597a337373be26ddabf594cc8c79f5042e06b2b4a70afc0fb40e1ab98dbcb7bfea64eaa27d40d0239a43d93e959bedc9114dd66a563a258b374361

memory/1048-91-0x0000000070F30000-0x0000000071287000-memory.dmp

memory/1048-90-0x0000000070D40000-0x0000000070D8C000-memory.dmp

memory/5080-100-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3840-102-0x00000000059E0000-0x0000000005D37000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 83df95494164f4a1067cd37422ec0bea
SHA1 3c01499f913c49b3f60d17ff2319eaa2f5c5154d
SHA256 f965d7c852755d35110d4dd425dd61fa4be1d596776854b2f862b2e473ab6a12
SHA512 314805dca1f7e124b00919474802399d6dff6e82a47b8071778143c021edc9377a11eedbbf90aa10e52f1f3138555489bf143bd58a49b1f77dfd8faaec681bf8

memory/3840-112-0x0000000070D40000-0x0000000070D8C000-memory.dmp

memory/3840-113-0x0000000070FB0000-0x0000000071307000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 e2269f9e7b311ee5ca8649d5ef6ca70f
SHA1 793e6ca75aea843c8e5a20cab989150b757ce03f
SHA256 fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c
SHA512 c5630cc76ece2803684b1d8489fdfb11662680420a3f73105486f4748dca59f1153faee8bb3e209dca71bdaceab71750ca526020eed8b72d06151d91c3545c3d

memory/5080-127-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 361330f09a141e5ca3f3b92f12b8791f
SHA1 f44e312344659f77ca15bf0dd7e1e3d3f95ba82f
SHA256 14ee62bdf4ab820427ce3974911284b1620e4242f1a4d9850e7106bc20194c14
SHA512 9782eb1f47d5951ec748c4621ecbe5b72015be14f2fc47cf9bc82b65c92e150e1d3ac76e34372240608c18d84f70241f75d1c5fc9861b59a995fe88363cfb932

memory/1872-141-0x0000000070D40000-0x0000000070D8C000-memory.dmp

memory/1872-142-0x0000000070F30000-0x0000000071287000-memory.dmp

memory/3444-140-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4972-160-0x0000000005F10000-0x0000000006267000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 73f747993541d9b9bbb6a5e9ad272d8b
SHA1 a5b28fb5139703b64da314bad4f614ce0a6c9cbb
SHA256 f5544053c86bdd385ff633e42dfaf9de35f96f721b15e2628c6db2febf85080d
SHA512 0d36f9c3d32ecc812162f400f7ea1d22e1d0415678c5d5c4804a619004eae09ba3fb72378247c5e18f49f481fed87be13c9289a400191d804c72a6a1ba29eb38

memory/4972-162-0x0000000006520000-0x000000000656C000-memory.dmp

memory/4972-164-0x0000000070E70000-0x00000000711C7000-memory.dmp

memory/4972-163-0x0000000070C60000-0x0000000070CAC000-memory.dmp

memory/4972-173-0x0000000007730000-0x00000000077D4000-memory.dmp

memory/4972-174-0x0000000006280000-0x0000000006291000-memory.dmp

memory/4972-175-0x00000000062C0000-0x00000000062D5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 97c1f93580ee8e8b22dbea78371a5544
SHA1 fdd01a2385d719f61f89c767e23d810b760d03ee
SHA256 4332fc3f40541cb98d80680638366ae246881aa05787eafa313a09d4078953b4
SHA512 1df6235444ee42eb5894bda565f5d278b1587a884b755659d797ce2d82c6f572f2f75a2d16ed875c91e3df64e90867c7473493f6679f18579bf2cbc3fc4b95d1

memory/2620-186-0x0000000070C60000-0x0000000070CAC000-memory.dmp

memory/2620-187-0x0000000070E70000-0x00000000711C7000-memory.dmp

memory/3444-198-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/688-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4548-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/688-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3444-214-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4548-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3444-216-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3444-219-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4548-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3444-222-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3444-225-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3444-229-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3444-231-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3444-234-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3444-237-0x0000000000400000-0x0000000002B0C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 05:02

Reported

2024-05-17 05:05

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3972 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3972 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3972 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\system32\cmd.exe
PID 4936 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\system32\cmd.exe
PID 2284 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2284 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4936 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\rss\csrss.exe
PID 4936 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\rss\csrss.exe
PID 4936 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe C:\Windows\rss\csrss.exe
PID 736 wrote to memory of 4452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 736 wrote to memory of 4452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 736 wrote to memory of 4452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 736 wrote to memory of 1736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 736 wrote to memory of 1736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 736 wrote to memory of 1736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 736 wrote to memory of 1484 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 736 wrote to memory of 1484 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 736 wrote to memory of 1484 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 736 wrote to memory of 2244 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 736 wrote to memory of 2244 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2936 wrote to memory of 2952 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2952 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2952 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2952 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2952 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe

"C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe

"C:\Users\Admin\AppData\Local\Temp\fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 7b4c15ed-65f9-4884-8f94-0ea9e05c8e76.uuid.theupdatetime.org udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server7.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun2.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server7.theupdatetime.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BG 185.82.216.108:443 server7.theupdatetime.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.108:443 server7.theupdatetime.org tcp

Files

memory/3972-1-0x0000000004650000-0x0000000004A50000-memory.dmp

memory/3972-2-0x0000000004B50000-0x000000000543B000-memory.dmp

memory/3972-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1264-6-0x000000007447E000-0x000000007447F000-memory.dmp

memory/1264-5-0x0000000004680000-0x00000000046B6000-memory.dmp

memory/1264-8-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/1264-9-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/3972-4-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1264-7-0x0000000004D40000-0x0000000005368000-memory.dmp

memory/1264-10-0x0000000004C90000-0x0000000004CB2000-memory.dmp

memory/1264-11-0x0000000005560000-0x00000000055C6000-memory.dmp

memory/1264-12-0x00000000055D0000-0x0000000005636000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0vsr3asx.hj2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1264-22-0x0000000005640000-0x0000000005994000-memory.dmp

memory/1264-23-0x0000000005C50000-0x0000000005C6E000-memory.dmp

memory/1264-24-0x0000000005C80000-0x0000000005CCC000-memory.dmp

memory/1264-25-0x00000000061B0000-0x00000000061F4000-memory.dmp

memory/1264-26-0x0000000006F80000-0x0000000006FF6000-memory.dmp

memory/1264-27-0x0000000007680000-0x0000000007CFA000-memory.dmp

memory/1264-28-0x0000000007020000-0x000000000703A000-memory.dmp

memory/1264-29-0x00000000071D0000-0x0000000007202000-memory.dmp

memory/1264-32-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/1264-43-0x0000000007230000-0x00000000072D3000-memory.dmp

memory/1264-42-0x0000000007210000-0x000000000722E000-memory.dmp

memory/1264-44-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/1264-31-0x0000000070A10000-0x0000000070D64000-memory.dmp

memory/1264-30-0x0000000070310000-0x000000007035C000-memory.dmp

memory/1264-45-0x0000000007320000-0x000000000732A000-memory.dmp

memory/1264-46-0x0000000007430000-0x00000000074C6000-memory.dmp

memory/1264-47-0x0000000007330000-0x0000000007341000-memory.dmp

memory/1264-48-0x0000000007370000-0x000000000737E000-memory.dmp

memory/1264-49-0x0000000007390000-0x00000000073A4000-memory.dmp

memory/1264-50-0x00000000073D0000-0x00000000073EA000-memory.dmp

memory/1264-51-0x00000000073C0000-0x00000000073C8000-memory.dmp

memory/1264-54-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/3972-56-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3972-57-0x0000000004650000-0x0000000004A50000-memory.dmp

memory/3972-58-0x0000000004B50000-0x000000000543B000-memory.dmp

memory/892-68-0x0000000006540000-0x0000000006894000-memory.dmp

memory/892-69-0x0000000070310000-0x000000007035C000-memory.dmp

memory/892-70-0x0000000070490000-0x00000000707E4000-memory.dmp

memory/892-80-0x0000000007B60000-0x0000000007C03000-memory.dmp

memory/892-81-0x0000000007E80000-0x0000000007E91000-memory.dmp

memory/892-82-0x0000000007ED0000-0x0000000007EE4000-memory.dmp

memory/3972-84-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4936-83-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/3404-97-0x00000000062B0000-0x0000000006604000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ecfd833cb50d28bf9d253fb4d929d946
SHA1 2ada5e6677fc245484b5ab72f478e9ac55039a23
SHA256 19253b4c7b26cbe344ad248b1897558707d2a9e4f77cabaa19b174257e826f94
SHA512 70e9c4a9572ddc98666813c666ff12abb3f57624b285ee78ded60ef1087970733c8c31209a5c1efd0636e7d3862a032fe14a48c6d9e07dd784c103d6bfbdd5a5

memory/3404-99-0x0000000070310000-0x000000007035C000-memory.dmp

memory/3404-100-0x0000000070AB0000-0x0000000070E04000-memory.dmp

memory/2088-121-0x0000000006020000-0x0000000006374000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 74f98d6239bec72fff39b2da3e62d17a
SHA1 cfe4c5b61d17c51f33000fcfe8cbbc7e66334ceb
SHA256 fd5b4d99c1f20c803de1f0c4a766ba00e0a2042248ab06ec22b62549f92306fd
SHA512 90840e70d75cdbc8ca4103feb7805071a9826c3207f8d2c08258ab1de61208b2a99bb30fc414f6622550e9eda9a8552cde7eb44250f4c7e2bd8aff8fe23e9bda

memory/2088-124-0x0000000070A90000-0x0000000070DE4000-memory.dmp

memory/2088-123-0x0000000070310000-0x000000007035C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 e2269f9e7b311ee5ca8649d5ef6ca70f
SHA1 793e6ca75aea843c8e5a20cab989150b757ce03f
SHA256 fae301ca74b03c36a3bda1ca7f6b88b8148f430ac1e86d888658f9179d33192c
SHA512 c5630cc76ece2803684b1d8489fdfb11662680420a3f73105486f4748dca59f1153faee8bb3e209dca71bdaceab71750ca526020eed8b72d06151d91c3545c3d

memory/4936-140-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b430573836311de30682705ed1d6abd2
SHA1 ad34efdef182d3dcc09fa9d47a13b8329bec9585
SHA256 759ed817ce6d825671908e890a7c5a86382023105e87b2af45f303c98e969352
SHA512 07d54afdff045011e3a05a833b53dbe03022f7f7ca6c52f4966d090ee87dabe47a8b11caf7e677f73fd5805dcad3789d28daa42ac7c61ec9bc4be8ed4f7b0a75

memory/4452-153-0x0000000070310000-0x000000007035C000-memory.dmp

memory/4452-154-0x0000000070490000-0x00000000707E4000-memory.dmp

memory/736-152-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1736-175-0x0000000005AF0000-0x0000000005E44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ef79e406a1768a6b0b3a19acc8bdb633
SHA1 4ae7291365a95a01fac1a0db327fa63f19e5bc9c
SHA256 61ad7720a2f851bc6d81f2e86f01e883e5a4f8fb4a7a3ac861790662ec016706
SHA512 e81b830ea06d4e7644e6c3b89ebd87a40a346b7f2ce727e8b82f2962d6c19ae5470fc2d76b334dd58e8ad5d4f792d371c70f7ff39e33230cfe95593a3ad074fb

memory/1736-177-0x00000000063E0000-0x000000000642C000-memory.dmp

memory/1736-178-0x0000000070230000-0x000000007027C000-memory.dmp

memory/1736-179-0x00000000703B0000-0x0000000070704000-memory.dmp

memory/1736-189-0x00000000072A0000-0x0000000007343000-memory.dmp

memory/1736-190-0x0000000007590000-0x00000000075A1000-memory.dmp

memory/1736-191-0x0000000005960000-0x0000000005974000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 48c20bd53d70dbf4e47801a4a9cea49c
SHA1 b09bb81d75e72635abf6fc69af04f051ee7acba6
SHA256 2228f47dcaa0ba2d533d3ef4370d8bedfc8a59dac5f612d9a8622d5d60a03363
SHA512 5688c245b26c3509b8eeb37f7415c16ab79c888ae14d6a15ec94e5b95fbdfa7ef42e3dd999808bd11ec425af2d0d7561bb28a1e8eafc79c1a6329e94fc6d4456

memory/1484-204-0x0000000070230000-0x000000007027C000-memory.dmp

memory/1484-205-0x00000000703B0000-0x0000000070704000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/736-221-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2936-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2936-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/736-232-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2288-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/736-236-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/736-240-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2288-243-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/736-244-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/736-248-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/736-252-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2288-255-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/736-256-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/736-260-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/736-264-0x0000000000400000-0x0000000002B0C000-memory.dmp