Analysis Overview
SHA256
f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6
Threat Level: Known bad
The file f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6 was found to be: Known bad.
Malicious Activity Summary
Glupteba
Glupteba payload
Modifies Windows Firewall
UPX packed file
Drops file in System32 directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 19:23
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-19 19:23
Reported
2024-04-19 19:25
Platform
win11-20240412-en
Max time kernel
10s
Max time network
151s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe
"C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3548 -ip 3548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 2440
C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe
"C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 269b296e-75fb-4e8a-b784-dbc01b21ff25.uuid.databaseupgrade.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | server12.databaseupgrade.ru | udp |
| BG | 185.82.216.108:443 | server12.databaseupgrade.ru | tcp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 71.221.67.172.in-addr.arpa | udp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.108:443 | server12.databaseupgrade.ru | tcp |
| BG | 185.82.216.108:443 | server12.databaseupgrade.ru | tcp |
Files
memory/4216-1-0x0000000003E00000-0x0000000004200000-memory.dmp
memory/4216-2-0x0000000004200000-0x0000000004AEB000-memory.dmp
memory/4216-3-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/3548-4-0x0000000002F10000-0x0000000002F46000-memory.dmp
memory/3548-5-0x0000000074250000-0x0000000074A01000-memory.dmp
memory/3548-6-0x0000000002F00000-0x0000000002F10000-memory.dmp
memory/3548-7-0x0000000002F00000-0x0000000002F10000-memory.dmp
memory/3548-8-0x00000000057F0000-0x0000000005E1A000-memory.dmp
memory/3548-9-0x0000000005530000-0x0000000005552000-memory.dmp
memory/3548-10-0x0000000005E20000-0x0000000005E86000-memory.dmp
memory/3548-13-0x0000000005E90000-0x0000000005EF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dn0t3h2p.x1h.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3548-20-0x0000000005F00000-0x0000000006257000-memory.dmp
memory/3548-21-0x00000000063E0000-0x00000000063FE000-memory.dmp
memory/3548-22-0x0000000006410000-0x000000000645C000-memory.dmp
memory/3548-23-0x00000000067D0000-0x0000000006816000-memory.dmp
memory/3548-24-0x000000007FD60000-0x000000007FD70000-memory.dmp
memory/3548-26-0x00000000704C0000-0x000000007050C000-memory.dmp
memory/3548-36-0x0000000007820000-0x000000000783E000-memory.dmp
memory/3548-37-0x0000000007840000-0x00000000078E4000-memory.dmp
memory/3548-27-0x0000000070640000-0x0000000070997000-memory.dmp
memory/3548-25-0x00000000077C0000-0x00000000077F4000-memory.dmp
memory/3548-38-0x0000000007FB0000-0x000000000862A000-memory.dmp
memory/3548-39-0x0000000007970000-0x000000000798A000-memory.dmp
memory/3548-40-0x00000000079B0000-0x00000000079BA000-memory.dmp
memory/3548-41-0x0000000074250000-0x0000000074A01000-memory.dmp
memory/4324-43-0x0000000003C60000-0x0000000004066000-memory.dmp
memory/4324-44-0x0000000004070000-0x000000000495B000-memory.dmp
memory/4324-45-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/4216-48-0x0000000003E00000-0x0000000004200000-memory.dmp
memory/4332-47-0x0000000004E40000-0x0000000004E50000-memory.dmp
memory/4332-46-0x0000000004E40000-0x0000000004E50000-memory.dmp
memory/4332-58-0x0000000005D20000-0x0000000006077000-memory.dmp
memory/4332-57-0x0000000074250000-0x0000000074A01000-memory.dmp
memory/4332-59-0x00000000704C0000-0x000000007050C000-memory.dmp
memory/4332-60-0x0000000070E00000-0x0000000071157000-memory.dmp
memory/4332-71-0x0000000004E40000-0x0000000004E50000-memory.dmp
memory/4332-70-0x0000000004E40000-0x0000000004E50000-memory.dmp
memory/4332-69-0x00000000073A0000-0x0000000007444000-memory.dmp
memory/4332-72-0x00000000077A0000-0x0000000007836000-memory.dmp
memory/4332-73-0x00000000076C0000-0x00000000076D1000-memory.dmp
memory/4332-74-0x0000000007700000-0x000000000770E000-memory.dmp
memory/4332-75-0x0000000007710000-0x0000000007725000-memory.dmp
memory/4332-76-0x0000000007750000-0x000000000776A000-memory.dmp
memory/4332-77-0x0000000007770000-0x0000000007778000-memory.dmp
memory/4332-80-0x0000000074250000-0x0000000074A01000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | ac4917a885cf6050b1a483e4bc4d2ea5 |
| SHA1 | b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f |
| SHA256 | e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9 |
| SHA512 | 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | fb359dfcf37031f3bb927aaa7edf3ec1 |
| SHA1 | bd7ab54fe9f904052a7bfc2a342712b39ff0d6fe |
| SHA256 | db729b25ddf0278ba65770c5dcf6cd0f28f532bdbd1943fe0766445ec08ea796 |
| SHA512 | a6f76d3e56ace2d60dce355fbf606c83668b6eb2a6116e9826524c2b21947580f15c7385bf70330bfd8b86da83fe08929d06b8cd8c09e81bbbbb69632c45fdc8 |
memory/4636-92-0x0000000074250000-0x0000000074A01000-memory.dmp
memory/4636-94-0x0000000002AD0000-0x0000000002AE0000-memory.dmp
memory/4636-93-0x0000000002AD0000-0x0000000002AE0000-memory.dmp
memory/4216-90-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/4636-96-0x0000000070640000-0x0000000070997000-memory.dmp
memory/4636-95-0x00000000704C0000-0x000000007050C000-memory.dmp
memory/4636-107-0x0000000002AD0000-0x0000000002AE0000-memory.dmp
memory/4636-106-0x0000000002AD0000-0x0000000002AE0000-memory.dmp
memory/4636-109-0x0000000074250000-0x0000000074A01000-memory.dmp
memory/3320-110-0x0000000074250000-0x0000000074A01000-memory.dmp
memory/4324-111-0x0000000003C60000-0x0000000004066000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 227009207df95f563b12d6e087c29a1f |
| SHA1 | 0cbd7d6769cf669b9f896966834b8812ceea302f |
| SHA256 | aceb1c10d64aa64ac94e68c836687f8ca5199c04ed85a997c0ac1bbf59a2924e |
| SHA512 | c12c1b6ec85784b2d823f5b4a2f12a922a9cf8195038e853b8335220a3f6c609028008e59325442c6dd7a7946a3503a40c5524d6a81a8dc415376346f6cbb2c8 |
memory/3320-122-0x0000000070640000-0x0000000070997000-memory.dmp
memory/3320-121-0x00000000704C0000-0x000000007050C000-memory.dmp
memory/3320-132-0x000000007F9D0000-0x000000007F9E0000-memory.dmp
memory/4324-131-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/3320-133-0x0000000005350000-0x0000000005360000-memory.dmp
memory/3320-135-0x0000000074250000-0x0000000074A01000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 0796ac200d1f3642b598d14cf31606a1 |
| SHA1 | 149e9647d003952a2b1a001c1510167158022cea |
| SHA256 | f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6 |
| SHA512 | bb49e5f61975654800fa822e018275266c28c9fbec3dd6a2c93484a815d8e72d0df4d6dd66d3eb6d9e4c228272ab6d22896cc92c31d19857e06f3b8a741c69a5 |
memory/792-141-0x0000000004200000-0x0000000004600000-memory.dmp
memory/792-142-0x0000000000400000-0x0000000001E08000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ac068a1ffcd9149ce887695a1f451d5a |
| SHA1 | 97a8514e279c688a20032d493b2d15482287289c |
| SHA256 | 53222baec25fd586f59d1086298102f3175d7b9fca15e7e96cb72186ddd87caf |
| SHA512 | 62915b79b1afb3cc1adf3be73a993d86bafcd958932486e6f991cbccca3e31b5869b8d1c51b659a370d43007ec544fb62acf6858cd7ca568c60a7574e9588c9a |
memory/4324-169-0x0000000000400000-0x0000000001E08000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7e18c7528e98a2950b0a44e47033c4ad |
| SHA1 | 9491b0812d116c7534b72d05a894b852965a750f |
| SHA256 | a6b16796fc2f46d22bea6833031a88a9eb1b2437029fa2ddc1f3c0cb67b1f1a0 |
| SHA512 | 7e682877aec2d1997dbd0976f760462edfc6d83ac3784fd28012def0978c03c56bb60551a6a4a1df4d9959ad8aac46bda3ef011fc76a6158c127c232dc682055 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | bcbd091bec5ac7be696f93bd988f1ed4 |
| SHA1 | c9345bb8851835ce6e5532751dee8384335eded0 |
| SHA256 | d85e0449bd5309a9eaa10b6aff2b5e5c482a9a240c235955907c5544bb0d9ce7 |
| SHA512 | 9377b090522dfcc37e766504269d30ae71503f42540400e311c6179d12666830d20d9759e84588f4941060893dec3d04a52ae10c3b50cd2bfc60b299f99e6939 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/792-236-0x0000000000400000-0x0000000001E08000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/2072-244-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/792-247-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/2440-250-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/792-251-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/792-255-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/2440-258-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/792-260-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/792-264-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/792-268-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/792-272-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/792-275-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/792-279-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/792-283-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/792-287-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/792-291-0x0000000000400000-0x0000000001E08000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 19:23
Reported
2024-04-19 19:25
Platform
win10v2004-20240412-en
Max time kernel
12s
Max time network
152s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe
"C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe
"C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4104 -ip 4104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 592
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c94e8275-965d-432c-b014-7cfc857f3b21.uuid.databaseupgrade.ru | udp |
| US | 8.8.8.8:53 | stun.stunprotocol.org | udp |
| US | 8.8.8.8:53 | server1.databaseupgrade.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.108:443 | server1.databaseupgrade.ru | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server1.databaseupgrade.ru | tcp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| NL | 74.125.128.127:19302 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | 127.128.125.74.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server1.databaseupgrade.ru | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1672-1-0x0000000003CC0000-0x00000000040BB000-memory.dmp
memory/1672-2-0x00000000040C0000-0x00000000049AB000-memory.dmp
memory/1672-3-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/4980-4-0x0000000005150000-0x0000000005186000-memory.dmp
memory/4980-5-0x0000000074C80000-0x0000000075430000-memory.dmp
memory/4980-6-0x0000000003110000-0x0000000003120000-memory.dmp
memory/4980-7-0x0000000003110000-0x0000000003120000-memory.dmp
memory/4980-8-0x00000000057C0000-0x0000000005DE8000-memory.dmp
memory/4980-9-0x0000000005710000-0x0000000005732000-memory.dmp
memory/4980-10-0x0000000005EF0000-0x0000000005F56000-memory.dmp
memory/4980-11-0x0000000005F60000-0x0000000005FC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hx0ilhtq.02x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4980-21-0x0000000006310000-0x0000000006664000-memory.dmp
memory/4980-22-0x0000000006700000-0x000000000671E000-memory.dmp
memory/4980-23-0x0000000006740000-0x000000000678C000-memory.dmp
memory/4980-24-0x0000000006C90000-0x0000000006CD4000-memory.dmp
memory/4980-25-0x0000000007A20000-0x0000000007A96000-memory.dmp
memory/4980-27-0x0000000007AC0000-0x0000000007ADA000-memory.dmp
memory/4980-26-0x0000000008120000-0x000000000879A000-memory.dmp
memory/4980-28-0x000000007F2D0000-0x000000007F2E0000-memory.dmp
memory/4980-31-0x0000000070CA0000-0x0000000070FF4000-memory.dmp
memory/4980-42-0x0000000003110000-0x0000000003120000-memory.dmp
memory/4980-43-0x0000000007CE0000-0x0000000007D83000-memory.dmp
memory/4980-41-0x0000000007CC0000-0x0000000007CDE000-memory.dmp
memory/4980-30-0x0000000070B20000-0x0000000070B6C000-memory.dmp
memory/4980-29-0x0000000007C80000-0x0000000007CB2000-memory.dmp
memory/4980-44-0x0000000007DD0000-0x0000000007DDA000-memory.dmp
memory/4980-45-0x0000000007E90000-0x0000000007F26000-memory.dmp
memory/4980-46-0x0000000007DF0000-0x0000000007E01000-memory.dmp
memory/4980-47-0x0000000007E30000-0x0000000007E3E000-memory.dmp
memory/4980-48-0x0000000007E40000-0x0000000007E54000-memory.dmp
memory/4980-50-0x0000000007E80000-0x0000000007E88000-memory.dmp
memory/4980-49-0x0000000007F30000-0x0000000007F4A000-memory.dmp
memory/4980-53-0x0000000074C80000-0x0000000075430000-memory.dmp
memory/4104-55-0x0000000003BF0000-0x0000000003FE9000-memory.dmp
memory/1672-56-0x0000000003CC0000-0x00000000040BB000-memory.dmp
memory/4104-57-0x0000000003FF0000-0x00000000048DB000-memory.dmp
memory/4104-58-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/1440-59-0x0000000074C80000-0x0000000075430000-memory.dmp
memory/1440-60-0x00000000024E0000-0x00000000024F0000-memory.dmp
memory/1440-70-0x0000000070B20000-0x0000000070B6C000-memory.dmp
memory/1440-71-0x0000000070CA0000-0x0000000070FF4000-memory.dmp
memory/1672-82-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/1440-81-0x0000000006D50000-0x0000000006DF3000-memory.dmp
memory/1440-84-0x00000000024E0000-0x00000000024F0000-memory.dmp
memory/1440-83-0x00000000024E0000-0x00000000024F0000-memory.dmp
memory/1440-85-0x0000000007080000-0x0000000007091000-memory.dmp
memory/1440-86-0x00000000070D0000-0x00000000070E4000-memory.dmp
memory/1440-89-0x0000000074C80000-0x0000000075430000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
memory/1272-92-0x0000000074C80000-0x0000000075430000-memory.dmp
memory/1272-103-0x00000000063D0000-0x0000000006724000-memory.dmp
memory/1272-104-0x0000000005560000-0x0000000005570000-memory.dmp
memory/1272-102-0x0000000005560000-0x0000000005570000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 22d4f368f1bb41ba795b964af88e71cf |
| SHA1 | 12ae06d7aeee4cc6c21d208c0a740dcb8604896f |
| SHA256 | 52c70987c803730ee047f0db687471b03b90b7f63d4752071ddb9221e1e2101d |
| SHA512 | a3d9c100e2a86759a9b966bf93e58ba6d0367ed25d39407293a13772de9e424aa499a99e94bb953cc4118fc23d3725e88b3b70625fed88341765f32a4c4703ef |
memory/1272-106-0x000000007F700000-0x000000007F710000-memory.dmp
memory/1272-108-0x00000000712D0000-0x0000000071624000-memory.dmp
memory/1272-120-0x0000000005560000-0x0000000005570000-memory.dmp
memory/1272-119-0x0000000005560000-0x0000000005570000-memory.dmp
memory/4104-118-0x0000000003BF0000-0x0000000003FE9000-memory.dmp
memory/1272-107-0x0000000070B20000-0x0000000070B6C000-memory.dmp
memory/1272-122-0x0000000074C80000-0x0000000075430000-memory.dmp
memory/2492-124-0x0000000002C20000-0x0000000002C30000-memory.dmp
memory/2492-123-0x0000000074C80000-0x0000000075430000-memory.dmp
memory/2492-125-0x0000000005BE0000-0x0000000005F34000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8db52f59e4e3a6689f426ea306bfb228 |
| SHA1 | 4d7ddde94ca06302716b3f6a282744d8bd7db8e3 |
| SHA256 | 61267d8f8d67d7c13aeda9921a26b76717e89933d2c674d1366390ef55cbe598 |
| SHA512 | b869ded8a080700e0abf8342fa991180abd4f5fad6191a62220238a96d5b8e1deede11c8289fa504f8b882603e5b3f48795effd0a1789520f7b029a51acc352d |
memory/2492-137-0x00000000712A0000-0x00000000715F4000-memory.dmp
memory/2492-136-0x0000000070B20000-0x0000000070B6C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 0796ac200d1f3642b598d14cf31606a1 |
| SHA1 | 149e9647d003952a2b1a001c1510167158022cea |
| SHA256 | f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6 |
| SHA512 | bb49e5f61975654800fa822e018275266c28c9fbec3dd6a2c93484a815d8e72d0df4d6dd66d3eb6d9e4c228272ab6d22896cc92c31d19857e06f3b8a741c69a5 |
memory/4104-157-0x0000000000400000-0x0000000001E08000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 57d0307b083b4346b5a6db37b80eb11e |
| SHA1 | 80aadb4a6add989f5c112b746d2c3e297296ec33 |
| SHA256 | 1d9fa9b6b89f2496fab006f80673d999efd7e7635877d931d738c56ee2209f64 |
| SHA512 | f9630d06a86e1ff80131cf86ad25f09715eeb55988733685d09ab5ffc825153b9ccb1c6b82aa7ee5dd66a5158513e3b1da25916ad2363f6ffd7a3e643f2a7a7b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b53f458dd5f927145710b7329d499885 |
| SHA1 | 11d80370115425770acffd3663f16d11b1a5c905 |
| SHA256 | e7c0dc0599038668b540911e06ebe002aa0d991146cc4e0e93d1932725326814 |
| SHA512 | 13923aa15561977202e1c0d3b05fbf8d3febd994eba6d441577e7767e53af97d9f42573eee8ac12d83e4ee1bd370664f572241d9274d2d6a89ed6b73d2703828 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b9158e689cc8351463949bab0defd447 |
| SHA1 | b6792c6d2b21774383a1b802e96b03e15f31b1e5 |
| SHA256 | 07f17763960940f7eaa9c344066746949bfd4c1ae534ff2c096cb754b0d77c77 |
| SHA512 | 4f952db2d0b094e1b847650033f051112a991ccf577fb3675d4e0420a1c6a1e619bad225428ebf9eb4126b9f8724274a7ed1dd3995fec3ee2dbc7374296edeaa |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/4468-253-0x0000000000400000-0x0000000001E08000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/4540-261-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4468-263-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/2248-265-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4468-266-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/4468-269-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/2248-271-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4468-272-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/4468-275-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/4468-278-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/4468-281-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/4468-284-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/4468-287-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/4468-290-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/4468-293-0x0000000000400000-0x0000000001E08000-memory.dmp
memory/4468-296-0x0000000000400000-0x0000000001E08000-memory.dmp