Malware Analysis Report

2024-12-08 02:06

Sample ID 240516-l2nsjaff75
Target f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28
SHA256 f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28

Threat Level: Known bad

The file f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 10:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 10:01

Reported

2024-05-16 10:04

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\system32\cmd.exe
PID 2684 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\system32\cmd.exe
PID 4312 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4312 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2684 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\rss\csrss.exe
PID 2684 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\rss\csrss.exe
PID 2684 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\rss\csrss.exe
PID 4188 wrote to memory of 2516 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4188 wrote to memory of 2516 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4188 wrote to memory of 2516 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4188 wrote to memory of 4544 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4188 wrote to memory of 4544 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4188 wrote to memory of 4544 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4188 wrote to memory of 5064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4188 wrote to memory of 5064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4188 wrote to memory of 5064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4188 wrote to memory of 2724 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4188 wrote to memory of 2724 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1212 wrote to memory of 3108 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 3108 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 3108 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3108 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3108 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe

"C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe

"C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.210:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 210.83.221.88.in-addr.arpa udp
BE 88.221.83.210:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 4918bf9f-c99e-478d-a18d-1dcf47bf7bf0.uuid.myfastupdate.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server15.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server15.myfastupdate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server15.myfastupdate.org tcp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 stun1.l.google.com udp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BG 185.82.216.111:443 server15.myfastupdate.org tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.111:443 server15.myfastupdate.org tcp

Files

memory/2164-1-0x0000000002960000-0x0000000002D5D000-memory.dmp

memory/2164-2-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/2164-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2868-4-0x0000000074E5E000-0x0000000074E5F000-memory.dmp

memory/2868-5-0x0000000000D50000-0x0000000000D86000-memory.dmp

memory/2868-7-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/2868-6-0x0000000004F20000-0x0000000005548000-memory.dmp

memory/2868-8-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/2868-9-0x0000000004D40000-0x0000000004D62000-memory.dmp

memory/2868-10-0x0000000004DE0000-0x0000000004E46000-memory.dmp

memory/2868-11-0x0000000004E50000-0x0000000004EB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w4ny2mx1.gnf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2868-17-0x0000000005550000-0x00000000058A4000-memory.dmp

memory/2868-22-0x0000000005B10000-0x0000000005B2E000-memory.dmp

memory/2868-23-0x0000000005BA0000-0x0000000005BEC000-memory.dmp

memory/2868-24-0x00000000060B0000-0x00000000060F4000-memory.dmp

memory/2868-25-0x0000000006E20000-0x0000000006E96000-memory.dmp

memory/2868-26-0x0000000007520000-0x0000000007B9A000-memory.dmp

memory/2868-27-0x0000000006EC0000-0x0000000006EDA000-memory.dmp

memory/2868-28-0x0000000007070000-0x00000000070A2000-memory.dmp

memory/2868-30-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/2868-29-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/2868-31-0x0000000071470000-0x00000000717C4000-memory.dmp

memory/2868-41-0x00000000070B0000-0x00000000070CE000-memory.dmp

memory/2868-42-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/2868-43-0x00000000070D0000-0x0000000007173000-memory.dmp

memory/2868-44-0x00000000071C0000-0x00000000071CA000-memory.dmp

memory/2868-45-0x0000000007290000-0x0000000007326000-memory.dmp

memory/2868-46-0x00000000071F0000-0x0000000007201000-memory.dmp

memory/2868-47-0x0000000007230000-0x000000000723E000-memory.dmp

memory/2868-48-0x0000000007240000-0x0000000007254000-memory.dmp

memory/2868-49-0x0000000007330000-0x000000000734A000-memory.dmp

memory/2868-50-0x0000000007270000-0x0000000007278000-memory.dmp

memory/2868-53-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/2684-55-0x0000000002930000-0x0000000002D2B000-memory.dmp

memory/2684-56-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/3920-66-0x0000000005BC0000-0x0000000005F14000-memory.dmp

memory/3920-67-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/3920-68-0x0000000071490000-0x00000000717E4000-memory.dmp

memory/3920-78-0x0000000007420000-0x00000000074C3000-memory.dmp

memory/3920-79-0x0000000007740000-0x0000000007751000-memory.dmp

memory/2164-81-0x0000000002960000-0x0000000002D5D000-memory.dmp

memory/2164-80-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3920-82-0x0000000007790000-0x00000000077A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f56b3e97354f840bd420368591bd6c61
SHA1 c6b8b1f1edea2d9a41005a5a31fe2b4a60334aea
SHA256 250abae8d7b17fcd50a569f9341db50317b6a4614619e48fc6e0324044aa7070
SHA512 be67f021a0dea4863403d0cff557d7d9521ee5da2518d1a1a6c51d54071c50d2617bb22dac6fed74026232dfec5232ffd4b8b8ace981005f49700c2c18cfdb14

memory/2164-96-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/3584-97-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/3584-98-0x0000000071470000-0x00000000717C4000-memory.dmp

memory/688-118-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4d0e424686cde345f6feee75774dbd3a
SHA1 c2e971f41aa08fe300058d110a1d34d6fb2c74ab
SHA256 b2c450c87247e96bfd1c028a6c9e1d0e841dd9f719f39a2da0fe63b141bf6ac9
SHA512 3a08296d7a99d6251a07ca9c30c3d673fb39a38ed5e8e4006f72cf2ebe662bc0df565f14f45a7f10833871409198b6bbecd3c14b8e780ecddae9c8f809fabc12

memory/688-120-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/688-121-0x0000000070E70000-0x00000000711C4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b45ca7444ee1d740f88b773be17f146b
SHA1 166b898e19710cf5cb14604858335eacd9593bad
SHA256 f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28
SHA512 4ff9e3f5162f4dc2aa5f6732c8f0e54257265eb7f84277fca3a671c63cbcf9a2f7c6a701c910e0b80eb7c3e2ce584cc30e53aaa188c1b0a8a25edd2cff7fdf89

memory/2684-135-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7b33e27161d20b8decca89644033df4f
SHA1 6f1bd3bb7357de6aed767c950baffeab547f8024
SHA256 f657fa501f2821b5788f82f1624cf9ce28faba37a8b7f7e70d61efb17979a1e0
SHA512 6f00f8f34ca229b437e13db2caf4e04188538f9e4d8d16d957b22aa3f57eda83fcdf751937737711f90aa970371f75e45f30e285651083927202c0e650c76773

memory/2516-149-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/2516-150-0x0000000070E70000-0x00000000711C4000-memory.dmp

memory/4544-170-0x0000000006150000-0x00000000064A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f750d4b04c3ac61d0a78177f171e6320
SHA1 2dafdaa2891e1113fc6642f7d5ff08b430d39b23
SHA256 45dd543f68307ac933f720a9c862c6990de1162a5e4480378a08c41c2b5ad88c
SHA512 c6157963502d5d3de22038459ffbde84cfc5307843ce971ea41835565e1182372031b1996de3306c3bd703bc83758b2b2e676680c98d42c4e865466e46b58aa6

memory/4544-172-0x0000000006E20000-0x0000000006E6C000-memory.dmp

memory/4544-173-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/4544-174-0x00000000713C0000-0x0000000071714000-memory.dmp

memory/4544-184-0x0000000007B70000-0x0000000007C13000-memory.dmp

memory/4544-185-0x0000000007E20000-0x0000000007E31000-memory.dmp

memory/4544-186-0x0000000006690000-0x00000000066A4000-memory.dmp

memory/5064-197-0x0000000005E00000-0x0000000006154000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b4d55e9ac88dab9b0d13300fae4ade3b
SHA1 97543efbcc2bdf309201ff7d9896c897f9a4f258
SHA256 33c664a7c6fe9173523d9bd856c9865b6662906136a79545bef42e21dc5a2d40
SHA512 c55e4f0a635bfb06546779b06510cd8a9bbdd26796dfdad09c2d6e981f6c514f9ed513fc22ef56c83b97305a4b5901ce26bdf3b79007565d21514ba09e3283f6

memory/5064-199-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/5064-200-0x0000000070D90000-0x00000000710E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4188-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1212-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2868-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1212-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4188-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2868-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4188-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4188-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2868-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4188-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4188-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4188-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4188-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4188-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4188-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4188-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4188-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 10:01

Reported

2024-05-16 10:04

Platform

win11-20240419-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3692 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3692 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3692 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\system32\cmd.exe
PID 3136 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\system32\cmd.exe
PID 3460 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3460 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3136 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\rss\csrss.exe
PID 3136 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\rss\csrss.exe
PID 3136 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe C:\Windows\rss\csrss.exe
PID 1724 wrote to memory of 4504 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 4504 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 4504 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 4680 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 4680 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 4680 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 4392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 4392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 4392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 1444 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1724 wrote to memory of 1444 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1544 wrote to memory of 3392 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 3392 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 3392 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3392 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3392 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe

"C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe

"C:\Users\Admin\AppData\Local\Temp\f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0333e9cd-2ab2-4b21-90ed-939a4929b1e3.uuid.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server9.myfastupdate.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server9.myfastupdate.org tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server9.myfastupdate.org tcp
BG 185.82.216.111:443 server9.myfastupdate.org tcp
BG 185.82.216.111:443 server9.myfastupdate.org tcp

Files

memory/3692-1-0x0000000002A20000-0x0000000002E1C000-memory.dmp

memory/3692-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/3692-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4756-4-0x00000000749BE000-0x00000000749BF000-memory.dmp

memory/4756-5-0x0000000002A50000-0x0000000002A86000-memory.dmp

memory/4756-6-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4756-7-0x00000000051E0000-0x000000000580A000-memory.dmp

memory/4756-8-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4756-9-0x0000000005090000-0x00000000050B2000-memory.dmp

memory/4756-10-0x0000000005880000-0x00000000058E6000-memory.dmp

memory/4756-11-0x00000000059F0000-0x0000000005A56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzlrlfrj.uyq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4756-20-0x0000000005A60000-0x0000000005DB7000-memory.dmp

memory/4756-21-0x0000000005F10000-0x0000000005F2E000-memory.dmp

memory/4756-22-0x0000000005FD0000-0x000000000601C000-memory.dmp

memory/4756-23-0x00000000064E0000-0x0000000006526000-memory.dmp

memory/4756-25-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/4756-24-0x0000000007330000-0x0000000007364000-memory.dmp

memory/4756-26-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/4756-35-0x0000000007390000-0x00000000073AE000-memory.dmp

memory/4756-36-0x00000000073B0000-0x0000000007454000-memory.dmp

memory/4756-37-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4756-38-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4756-39-0x0000000007B20000-0x000000000819A000-memory.dmp

memory/4756-40-0x00000000074D0000-0x00000000074EA000-memory.dmp

memory/4756-41-0x0000000007510000-0x000000000751A000-memory.dmp

memory/4756-42-0x0000000007620000-0x00000000076B6000-memory.dmp

memory/4756-43-0x0000000007540000-0x0000000007551000-memory.dmp

memory/4756-44-0x0000000007580000-0x000000000758E000-memory.dmp

memory/4756-45-0x0000000007590000-0x00000000075A5000-memory.dmp

memory/4756-46-0x00000000075E0000-0x00000000075FA000-memory.dmp

memory/4756-47-0x0000000007600000-0x0000000007608000-memory.dmp

memory/4756-50-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/3692-52-0x0000000002A20000-0x0000000002E1C000-memory.dmp

memory/3136-53-0x0000000002A30000-0x0000000002E34000-memory.dmp

memory/4344-62-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/4344-63-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/4344-72-0x0000000007040000-0x00000000070E4000-memory.dmp

memory/4344-73-0x0000000007360000-0x0000000007371000-memory.dmp

memory/3692-75-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/3692-74-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4344-76-0x00000000073B0000-0x00000000073C5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2940-80-0x00000000059A0000-0x0000000005CF7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c5ebcb337f0f43e6f4b8edc59c7acf1a
SHA1 e15463bd70491ed7e95fdbfeec2e9f93652cc266
SHA256 39f6568d1f8dd7f64f3e4139c8efafd16e350384f027327bf692454dac8ec59f
SHA512 d45515e9c46d27cbfb6a87c6145f18bed8e4f23a2e98867c22077ce6d404e4dc185b1ec65cb5d495d7937f7f4a9998182872a20c22ab83c1f62b460011a6902f

memory/2940-90-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/2940-91-0x0000000070E70000-0x00000000711C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4981ac08da70ba15091efad4cc775171
SHA1 a29af64187d31a6202d32753c54a13886f180b17
SHA256 c72ac7249a845ac0ac2f40cd67b8f62a9f2774bf9a511e83cf5b990768563c51
SHA512 f0c8f22351808b7ee09c0d93ff41377dcd830223f968b04cec6ba51d5f69b5d51c21361799d1e2469134568d356098e6ce78201aecbd9bd407031e3661f65d86

memory/2280-110-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/2280-111-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/3136-121-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b45ca7444ee1d740f88b773be17f146b
SHA1 166b898e19710cf5cb14604858335eacd9593bad
SHA256 f1e2df238e780d62053a6028d5a28a893d61c9f52489171e823b5dff88cbea28
SHA512 4ff9e3f5162f4dc2aa5f6732c8f0e54257265eb7f84277fca3a671c63cbcf9a2f7c6a701c910e0b80eb7c3e2ce584cc30e53aaa188c1b0a8a25edd2cff7fdf89

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9aa3f303bcaea5af8b2a27ed49e18189
SHA1 0602f8a8fd0ef014ce68ef1df2e96962dfafd95a
SHA256 fed09e287c322b8425f4223b005c0e99e6a36601b6572d83f0efca4ace1bca67
SHA512 1a50c4a56657b099a79d64e115579aefe26a69f0ba593d8ec4e63b8ab74176040d9415088a6d1c0c4675f7727b454eeceffd48c7db48b7f0b8c22135c0ba2d86

memory/4504-137-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/4504-138-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/4680-156-0x0000000005600000-0x0000000005957000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ffa79ca181760298115b9ca38d1c6161
SHA1 26f2bffd35af5b53f0a7ea940127d325e49fd386
SHA256 323d699c03b0c0ed230c144df9cd6b5eeea3f018b0a24acd9acc347b1107fba4
SHA512 e9f8ef87cccde23ec6bdeb7f553dab160f1eab7e14f832f9670c8fc386d72986902709c7cf03383fafb898301474b50423cae31f046ecfefb8e2016f6de5af74

memory/4680-158-0x0000000006080000-0x00000000060CC000-memory.dmp

memory/4680-159-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/4680-160-0x0000000070D50000-0x00000000710A7000-memory.dmp

memory/4680-169-0x0000000006DA0000-0x0000000006E44000-memory.dmp

memory/4680-170-0x0000000007100000-0x0000000007111000-memory.dmp

memory/4680-171-0x0000000004E80000-0x0000000004E95000-memory.dmp

memory/3136-172-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4392-182-0x0000000005F80000-0x00000000062D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d43a05b0622d6f7cbba35d58de181025
SHA1 fd569b5c125efb9ee98b28e6372ebe61a87c9d99
SHA256 39cc16596844f0fe2ea3ae3b27d1159397ffaa7c3fc74660fa554652749ef14b
SHA512 3444391ecc4a6268e0bcb6a1d2494bfe0447c4f1e740e85cfefb3063ea3ba3cf248ee98295b2914b840b1eed5f5a766a95c32466ef4d5c852fd0d34667a9a185

memory/4392-184-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/4392-185-0x0000000070CC0000-0x0000000071017000-memory.dmp

memory/1724-195-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3136-202-0x0000000002A30000-0x0000000002E34000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1544-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1724-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3596-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1544-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1724-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3596-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1724-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1724-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3596-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1724-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1724-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1724-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1724-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1724-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1724-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1724-252-0x0000000000400000-0x0000000000D1C000-memory.dmp