Malware Analysis Report

2025-01-02 06:41

Sample ID 240515-sv7qdsff6x
Target ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9
SHA256 ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9

Threat Level: Known bad

The file ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 15:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 15:27

Reported

2024-05-15 15:30

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\system32\cmd.exe
PID 3456 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4188 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3456 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\rss\csrss.exe
PID 3456 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\rss\csrss.exe
PID 3456 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\rss\csrss.exe
PID 2484 wrote to memory of 4744 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 4744 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 4744 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2268 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2268 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2268 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 4820 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2484 wrote to memory of 4820 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4052 wrote to memory of 2672 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 2672 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 2672 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2672 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2672 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe

"C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe

"C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 23.62.61.115:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 115.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 09fbf371-0139-486c-bcf0-da02e8e59af0.uuid.realupdate.ru udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server9.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.96:443 server9.realupdate.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BG 185.82.216.96:443 server9.realupdate.ru tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
BG 185.82.216.96:443 server9.realupdate.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1488-1-0x00000000047F0000-0x0000000004BE9000-memory.dmp

memory/1488-2-0x0000000004BF0000-0x00000000054DB000-memory.dmp

memory/1488-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1020-4-0x0000000074E5E000-0x0000000074E5F000-memory.dmp

memory/1020-5-0x0000000002950000-0x0000000002986000-memory.dmp

memory/1020-6-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/1020-7-0x00000000051C0000-0x00000000057E8000-memory.dmp

memory/1020-8-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/1488-9-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1020-10-0x0000000004F80000-0x0000000004FA2000-memory.dmp

memory/1020-11-0x0000000005890000-0x00000000058F6000-memory.dmp

memory/1020-17-0x0000000005900000-0x0000000005966000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q4hxacty.sk3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1020-22-0x0000000005A70000-0x0000000005DC4000-memory.dmp

memory/1020-23-0x0000000005F30000-0x0000000005F4E000-memory.dmp

memory/1020-24-0x0000000005FE0000-0x000000000602C000-memory.dmp

memory/1020-25-0x00000000064B0000-0x00000000064F4000-memory.dmp

memory/1020-26-0x0000000007250000-0x00000000072C6000-memory.dmp

memory/1020-27-0x0000000007950000-0x0000000007FCA000-memory.dmp

memory/1020-28-0x00000000072F0000-0x000000000730A000-memory.dmp

memory/1020-30-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/1020-29-0x00000000074B0000-0x00000000074E2000-memory.dmp

memory/1020-32-0x0000000070E70000-0x00000000711C4000-memory.dmp

memory/1020-43-0x0000000007510000-0x00000000075B3000-memory.dmp

memory/1020-42-0x00000000074F0000-0x000000000750E000-memory.dmp

memory/1020-44-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/1020-31-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/1020-45-0x0000000007600000-0x000000000760A000-memory.dmp

memory/1020-46-0x0000000007710000-0x00000000077A6000-memory.dmp

memory/1020-47-0x0000000007630000-0x0000000007641000-memory.dmp

memory/1020-48-0x0000000007680000-0x000000000768E000-memory.dmp

memory/1020-49-0x0000000007690000-0x00000000076A4000-memory.dmp

memory/1020-50-0x00000000076D0000-0x00000000076EA000-memory.dmp

memory/1020-51-0x00000000076C0000-0x00000000076C8000-memory.dmp

memory/1020-54-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/1488-56-0x00000000047F0000-0x0000000004BE9000-memory.dmp

memory/1488-58-0x0000000004BF0000-0x00000000054DB000-memory.dmp

memory/1488-57-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1488-68-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1448-69-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/1448-70-0x0000000070E70000-0x00000000711C4000-memory.dmp

memory/1448-80-0x0000000007360000-0x0000000007403000-memory.dmp

memory/1448-81-0x0000000007670000-0x0000000007681000-memory.dmp

memory/1448-82-0x00000000076C0000-0x00000000076D4000-memory.dmp

memory/3456-83-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4536-92-0x00000000058A0000-0x0000000005BF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1b6b7fb59faacab9f23a38bfd4a6a8b6
SHA1 b1eec60c44e65a01cb36b3e1d0c72c3d5980c114
SHA256 1cefdc75ad84b2313eb17d5e8115c98116a75efe2597030bed8e7404c4bf4058
SHA512 545ec31c2c9ee84607998df611d5c3faa603a976ff571d8918e3c01e3eb64bbc7fbc8d39b8ff8e24e7b7dce4327e89c6b48323909f8dd031f532d9d55f89e7f4

memory/4536-98-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/4536-99-0x0000000071470000-0x00000000717C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a21bcc1e589c68938f628b964206d745
SHA1 5db65241f1a5e39873cbdfdabf0ed62d0ff39e98
SHA256 c24f7a772f86340a3b56f7229b5336593fcc7bbb67d55216d43a24702038d56d
SHA512 281d918195174b7e10be30f12c68db77533045a966ad9645044fdd0f7207dffe2daf3881fa5840de037f236949c4bcb9210002a5891026900503b3b8d596e475

memory/940-121-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/940-122-0x0000000071470000-0x00000000717C4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5eef81f47c74ffdb0a8fd756d795ed7a
SHA1 772e51b1be9797e06229f890d27ebdd2c9e63492
SHA256 ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9
SHA512 9ddbf0072eebe2dd0bbd77d05345a8c37654080500111f8e8d904c516094507deab81e256d51f1da1d3accbcf54ff6b18c2625ff3ee3ed8a951cd853f60ca02a

memory/3456-138-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ba50e169c6e350602d64545e83ea42c3
SHA1 cef1fceaf454105590e25049a948764a0e445b7c
SHA256 cd542c99c32344202899f6528f091ff4ee5e6d838854cd7ce72ce0ba03461a68
SHA512 90f5c2e116b80ab862596fbf965cc61d0baa6f10cc2a1f0901a59894c819af4a31e969822959cf3273b8941ad2ab8f54cd2cbe2a977a0fecf90c5f07e65aa3f4

memory/2484-149-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4744-151-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/4744-152-0x0000000070E70000-0x00000000711C4000-memory.dmp

memory/1104-172-0x0000000005950000-0x0000000005CA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 71fabcefe8050cabd131a8b9b85c2aad
SHA1 c0bd4757234336d330c323d3e4a014eb6a60973e
SHA256 be7414c7e79a3607c2cfe2b6276d73837e18b401b5838c59930e3011cdf34ddd
SHA512 0b25252b9d4fd56cda4553e1ebea2fc673518a2bac9f9c6de968dbc330428f6e8f354dcc874af3a121bc45d96211fa834a45091f7f428e00b684a9b92f6867a8

memory/1104-174-0x0000000006560000-0x00000000065AC000-memory.dmp

memory/1104-177-0x0000000071340000-0x0000000071694000-memory.dmp

memory/1104-176-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/1104-187-0x0000000007250000-0x00000000072F3000-memory.dmp

memory/1104-188-0x00000000075C0000-0x00000000075D1000-memory.dmp

memory/1104-189-0x0000000005DD0000-0x0000000005DE4000-memory.dmp

memory/2268-200-0x0000000005840000-0x0000000005B94000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 98292310505b244c075ed9eb1dab7b2e
SHA1 b68661a9cbeca383a750ebaec216d95575febfd7
SHA256 2dab80cbc9aa796ffceae23b213e21cc7da05b3695f175ede94b56a9bb0ee9ed
SHA512 63e5aae5c928f19db4b27fe35d0f73efca66e6120841a5432c8e6906f067e446975d14a59b91e0483abc163d352e5eb7805c227d0efa828d060d6944d8e1a631

memory/2268-204-0x0000000070D90000-0x00000000710E4000-memory.dmp

memory/2268-203-0x0000000070C10000-0x0000000070C5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2484-220-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4052-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/516-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4052-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2484-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/516-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2484-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2484-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/516-242-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2484-243-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2484-247-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2484-251-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/516-254-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2484-255-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2484-259-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2484-263-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 15:27

Reported

2024-05-15 15:30

Platform

win11-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\system32\cmd.exe
PID 2408 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\system32\cmd.exe
PID 4108 wrote to memory of 3208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4108 wrote to memory of 3208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2408 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\rss\csrss.exe
PID 2408 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\rss\csrss.exe
PID 2408 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe C:\Windows\rss\csrss.exe
PID 4632 wrote to memory of 2072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 2072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 2072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 780 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 780 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 780 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 3968 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 3968 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 3968 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 4188 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4632 wrote to memory of 4188 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5048 wrote to memory of 5108 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 5108 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 5108 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5108 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5108 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe

"C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe

"C:\Users\Admin\AppData\Local\Temp\ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 6ac2203c-f69a-4375-af43-11fa722da232.uuid.realupdate.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 server1.realupdate.ru udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.96:443 server1.realupdate.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server1.realupdate.ru tcp
BG 185.82.216.96:443 server1.realupdate.ru tcp

Files

memory/2008-1-0x0000000004840000-0x0000000004C3F000-memory.dmp

memory/2008-2-0x0000000004C40000-0x000000000552B000-memory.dmp

memory/2008-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1320-4-0x000000007496E000-0x000000007496F000-memory.dmp

memory/1320-5-0x0000000002AC0000-0x0000000002AF6000-memory.dmp

memory/1320-6-0x0000000074960000-0x0000000075111000-memory.dmp

memory/1320-7-0x0000000005640000-0x0000000005C6A000-memory.dmp

memory/1320-8-0x0000000074960000-0x0000000075111000-memory.dmp

memory/1320-9-0x0000000005320000-0x0000000005342000-memory.dmp

memory/1320-10-0x00000000053C0000-0x0000000005426000-memory.dmp

memory/1320-11-0x0000000005430000-0x0000000005496000-memory.dmp

memory/1320-12-0x0000000005C70000-0x0000000005FC7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mqrhr22e.qa5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1320-21-0x00000000062D0000-0x00000000062EE000-memory.dmp

memory/1320-22-0x0000000006300000-0x000000000634C000-memory.dmp

memory/1320-23-0x0000000006870000-0x00000000068B6000-memory.dmp

memory/1320-25-0x00000000076D0000-0x0000000007704000-memory.dmp

memory/1320-26-0x0000000070BD0000-0x0000000070C1C000-memory.dmp

memory/1320-37-0x0000000007750000-0x00000000077F4000-memory.dmp

memory/1320-36-0x0000000007730000-0x000000000774E000-memory.dmp

memory/1320-27-0x00000000715E0000-0x0000000071937000-memory.dmp

memory/1320-38-0x0000000074960000-0x0000000075111000-memory.dmp

memory/2008-24-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1320-39-0x0000000074960000-0x0000000075111000-memory.dmp

memory/1320-41-0x0000000007880000-0x000000000789A000-memory.dmp

memory/1320-40-0x0000000007EC0000-0x000000000853A000-memory.dmp

memory/1320-42-0x00000000078C0000-0x00000000078CA000-memory.dmp

memory/1320-43-0x0000000007980000-0x0000000007A16000-memory.dmp

memory/1320-44-0x00000000078F0000-0x0000000007901000-memory.dmp

memory/1320-45-0x0000000007930000-0x000000000793E000-memory.dmp

memory/1320-46-0x0000000007940000-0x0000000007955000-memory.dmp

memory/1320-47-0x0000000007A40000-0x0000000007A5A000-memory.dmp

memory/1320-48-0x0000000007A20000-0x0000000007A28000-memory.dmp

memory/1320-51-0x0000000074960000-0x0000000075111000-memory.dmp

memory/2008-53-0x0000000004840000-0x0000000004C3F000-memory.dmp

memory/2008-54-0x0000000004C40000-0x000000000552B000-memory.dmp

memory/2864-63-0x0000000005A20000-0x0000000005D77000-memory.dmp

memory/2008-64-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2864-65-0x0000000070BD0000-0x0000000070C1C000-memory.dmp

memory/2864-66-0x0000000070DE0000-0x0000000071137000-memory.dmp

memory/2864-75-0x00000000070F0000-0x0000000007194000-memory.dmp

memory/2864-76-0x0000000007420000-0x0000000007431000-memory.dmp

memory/2008-77-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2864-78-0x0000000007470000-0x0000000007485000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/1916-90-0x00000000062A0000-0x00000000065F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e54f0ca87adbcf33cade742fd3174691
SHA1 98723e63f1224a017e4071d00f8663de7830be1a
SHA256 6a2b1b22619bb55146bc04cf2927b3d9fac47ce3e81236baad34c927c9b9e59b
SHA512 f794fc94d27be3547365de5733087a005eb907fec17c75d8d6dbb366b37bd0fa09c85209a8fd012101b801f97ad0d1b972a98a1cbfa43acef74aa25eab49ea4d

memory/2408-92-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1916-93-0x0000000070BD0000-0x0000000070C1C000-memory.dmp

memory/1916-94-0x0000000070D70000-0x00000000710C7000-memory.dmp

memory/5104-109-0x00000000054C0000-0x0000000005817000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5650e46f14d6d17f4d60b03ab3c2a928
SHA1 34ef9e88a431e998bb4e01300dbdc72862517064
SHA256 f9fdd1a45caac0148b8c921c8d55a3878b512ec6fc72e523211b544b34cd3ec5
SHA512 30949b51ea21e7d7a181bdd31d66f21caddbc8bd6d2a63a06e86d909fc8b33d4e2fa7113f374dab5693e5d62c8c751e1a325e82b70fa107f425e572f30b5a5ed

memory/5104-114-0x0000000070BD0000-0x0000000070C1C000-memory.dmp

memory/5104-116-0x0000000070E20000-0x0000000071177000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5eef81f47c74ffdb0a8fd756d795ed7a
SHA1 772e51b1be9797e06229f890d27ebdd2c9e63492
SHA256 ec20914684db34316a2c4feaf29cdf411286a87bd7dff9f19e8a7be9e04b35c9
SHA512 9ddbf0072eebe2dd0bbd77d05345a8c37654080500111f8e8d904c516094507deab81e256d51f1da1d3accbcf54ff6b18c2625ff3ee3ed8a951cd853f60ca02a

memory/2408-129-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2bf85d92c7d127ded83a2a19cb5998cb
SHA1 1b0be22411b91a004a5c59d7edd3c6fc513cc758
SHA256 3cb10b93956eba77633e7922a4016596b8e2fc108c0ee69b1ce3566cdc6ae6e6
SHA512 8e6eb28bc1ff10d88114322471eb60b1ed4bc199917d4dc50933706a2bd1ece8991b8d754155d5b677a06b1a45c45f590496d92e9f21194cd7e2e19bf85b54c1

memory/4632-142-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2072-144-0x0000000070DE0000-0x0000000071137000-memory.dmp

memory/2072-143-0x0000000070BD0000-0x0000000070C1C000-memory.dmp

memory/780-154-0x0000000006360000-0x00000000066B7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 08f2db749d66b53bbd0466c4258f336c
SHA1 cda201cb0c95da64d147ca2f1e964d67b582b459
SHA256 bdc190c38676be9d07492752e0319638cca1bd613e2d03d849e201a736922e75
SHA512 819dd23aa9f32b32fa48147abafcbc0bb1c3dc191291c47abf9c2fc2845dec1dced72c1130b6196f38d284fb8550e54a149e125243143b1711b08d997652612b

memory/780-164-0x0000000006950000-0x000000000699C000-memory.dmp

memory/780-165-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/780-166-0x0000000070D40000-0x0000000071097000-memory.dmp

memory/780-175-0x0000000007B50000-0x0000000007BF4000-memory.dmp

memory/780-176-0x0000000007EB0000-0x0000000007EC1000-memory.dmp

memory/780-177-0x0000000006700000-0x0000000006715000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cf299fc170c8a1a30315f62e9c5c5364
SHA1 fd524b5a448fda222d900306ab05b02214261388
SHA256 35be0d11eb9b22fe749003e803891cbca904800c60ae438c44c26ab2ccfdbc20
SHA512 07c2575a9e15199070d73fea24ae194eec344c51a8d52bed30c010de4893fedc521c23d0b5ddf5215e7a3b3b7c7425f6e5b41756ba22a9dad80f8b91c030711f

memory/3968-188-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/3968-189-0x0000000070D40000-0x0000000071097000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4632-205-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5048-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5048-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4632-215-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3628-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4632-218-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4632-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3628-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4632-224-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4632-227-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4632-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4632-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4632-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4632-239-0x0000000000400000-0x0000000002B0B000-memory.dmp