Malware Analysis Report

2025-01-02 06:28

Sample ID 240516-lq41daef5z
Target f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78
SHA256 f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78

Threat Level: Known bad

The file f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 09:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 09:45

Reported

2024-05-16 09:47

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3564 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3564 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3564 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\system32\cmd.exe
PID 4120 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\system32\cmd.exe
PID 3276 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3276 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4120 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\rss\csrss.exe
PID 4120 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\rss\csrss.exe
PID 4120 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\rss\csrss.exe
PID 2504 wrote to memory of 2652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 2652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 2652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1272 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1272 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1272 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 2636 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2504 wrote to memory of 2636 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3032 wrote to memory of 3356 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 3356 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 3356 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3356 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3356 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3356 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe

"C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe

"C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 6912ab9d-e77e-47e3-97cc-3304467ffe6d.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server16.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp

Files

memory/3564-1-0x0000000002980000-0x0000000002D88000-memory.dmp

memory/3564-2-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/3564-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1284-4-0x00000000746FE000-0x00000000746FF000-memory.dmp

memory/1284-5-0x00000000049B0000-0x00000000049E6000-memory.dmp

memory/1284-6-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/1284-7-0x0000000005090000-0x00000000056B8000-memory.dmp

memory/1284-8-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/1284-9-0x0000000004FB0000-0x0000000004FD2000-memory.dmp

memory/1284-10-0x00000000058B0000-0x0000000005916000-memory.dmp

memory/1284-11-0x0000000005920000-0x0000000005986000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mezml1tj.miv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1284-21-0x0000000005990000-0x0000000005CE4000-memory.dmp

memory/1284-22-0x0000000005F70000-0x0000000005F8E000-memory.dmp

memory/1284-23-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

memory/1284-24-0x00000000070B0000-0x00000000070F4000-memory.dmp

memory/1284-25-0x0000000007290000-0x0000000007306000-memory.dmp

memory/1284-26-0x0000000007990000-0x000000000800A000-memory.dmp

memory/1284-27-0x0000000007330000-0x000000000734A000-memory.dmp

memory/1284-28-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/1284-29-0x00000000074F0000-0x0000000007522000-memory.dmp

memory/1284-30-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/1284-31-0x0000000070C90000-0x0000000070FE4000-memory.dmp

memory/1284-41-0x0000000007530000-0x000000000754E000-memory.dmp

memory/1284-43-0x0000000007550000-0x00000000075F3000-memory.dmp

memory/1284-42-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/1284-44-0x0000000007640000-0x000000000764A000-memory.dmp

memory/1284-45-0x0000000007750000-0x00000000077E6000-memory.dmp

memory/1284-46-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/1284-47-0x0000000007650000-0x0000000007661000-memory.dmp

memory/1284-48-0x0000000007690000-0x000000000769E000-memory.dmp

memory/1284-49-0x00000000076B0000-0x00000000076C4000-memory.dmp

memory/1284-50-0x0000000007700000-0x000000000771A000-memory.dmp

memory/1284-51-0x00000000076F0000-0x00000000076F8000-memory.dmp

memory/1284-54-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4120-57-0x0000000002A10000-0x0000000002E0A000-memory.dmp

memory/3564-58-0x0000000002980000-0x0000000002D88000-memory.dmp

memory/3564-59-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/3564-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3424-69-0x0000000005690000-0x00000000059E4000-memory.dmp

memory/3424-70-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/3424-71-0x0000000070710000-0x0000000070A64000-memory.dmp

memory/3424-81-0x0000000006DB0000-0x0000000006E53000-memory.dmp

memory/3424-82-0x0000000007040000-0x0000000007051000-memory.dmp

memory/3424-83-0x0000000007090000-0x00000000070A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/2636-96-0x00000000057A0000-0x0000000005AF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 33b5f67aca2775b1ca631aa9925fa450
SHA1 ee6dc8ec0e3316374150b3cb194f2300a6daa460
SHA256 a566fc8f275be122bb0242d5b0725b3e82283022accd15a71f93454de4161230
SHA512 55c84b76ffc351f8decf3d372bc9d9ea798d6070e5f619facae469ce8329e10c4d74aa65247707ee5cb1ee10686bd2a1c008709c49514cec1ad9001849c9aa37

memory/2636-98-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/2636-99-0x0000000070B60000-0x0000000070EB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f59e6bdb3a0ba3c33541b74df63d0529
SHA1 283c756797bcf5918531d0dbf572d61f2f5ebb1a
SHA256 d1995689dc8a4e471c22d021b191264826b3b4b1c38dd43965741a5bfbab839d
SHA512 12d2ef65ad77b20de46fd4a935fff12acd04ade23a346ade5a48cd047f6b4b35e0aa9c5414d76f210bdc7068f4b2aa87462e1caaeaa9f0bc46e76ac171a51e50

memory/4940-121-0x0000000070710000-0x0000000070A64000-memory.dmp

memory/4940-120-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/4120-132-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b5b0cf564843c8f1979fe981a0e75027
SHA1 3ea177d17eedd764b842201ef959dc27c02a4a78
SHA256 f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78
SHA512 671be16fbd66db94ce1c9d0a52ee463f2c3b414a135bff32d49be436068c22cd82bc9bbbcb178172fb60fc2c86028856ca725204fe88385cc4a5f909f14a8432

memory/4120-137-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dcaaba1bcbd228daaf568bf714dc98c7
SHA1 5c1677b6f9ef39babac8efaced20ecf6c80de635
SHA256 6344226c0ae07550e94f36c005ee79f3a312de6dfe8b112d216df199b561275c
SHA512 a43572b2d15fbd7604cc31b0c26cea14e9cdd7f58d60252a125f988db948f4f7026e4685e820217ef063e9dcf55a28cbd8be1fee8a7157315f119c184aedaf3f

memory/2652-150-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/2652-151-0x0000000070710000-0x0000000070A64000-memory.dmp

memory/1908-171-0x00000000057A0000-0x0000000005AF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7b29254f49505947ebc436fa3df27b2c
SHA1 a0f2d63545909a8a98b2dc6ce92fb6f5844187a6
SHA256 85e54ae8939cad887704256e54d3078d3240bee2e652d2cd2eb2f0aca1e4f115
SHA512 377a090ec97375130c689ab5561faa273925b97f9ca08324fd5ec3a73f6f32a0597c1782f8b76be44fad809d7e0a235a8c650a1eb52da7f8ca1e710e4fb05b4a

memory/1908-173-0x0000000006140000-0x000000000618C000-memory.dmp

memory/1908-174-0x00000000704B0000-0x00000000704FC000-memory.dmp

memory/1908-175-0x0000000070630000-0x0000000070984000-memory.dmp

memory/1908-185-0x0000000006E30000-0x0000000006ED3000-memory.dmp

memory/1908-186-0x0000000007180000-0x0000000007191000-memory.dmp

memory/1908-187-0x0000000005650000-0x0000000005664000-memory.dmp

memory/1272-198-0x00000000063A0000-0x00000000066F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ea5d7144e278f936ff040837a5b16afc
SHA1 1a16380fef31a8361a3b84818fcd48e24fd66538
SHA256 8be7f5eb4cec114fbdc157a9ee3daa7110b32a0929fa143e1c130f117b7840e8
SHA512 5fdd8e3a5eed8de42b8c60f073ffdabb957a1bc90dd41fcd62404e9dc5b54b4f416cd878e6354fc3b0eb0f63f1731e61a5d1f8ed0e160fe417c84415d3bdfb57

memory/1272-200-0x00000000704B0000-0x00000000704FC000-memory.dmp

memory/1272-201-0x0000000070660000-0x00000000709B4000-memory.dmp

memory/2504-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3032-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2504-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3032-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2504-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/984-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2504-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/984-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2504-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2504-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2504-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2504-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2504-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2504-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2504-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2504-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 09:45

Reported

2024-05-16 09:47

Platform

win11-20240508-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4800 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\system32\cmd.exe
PID 1380 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\system32\cmd.exe
PID 4876 wrote to memory of 440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4876 wrote to memory of 440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1380 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\rss\csrss.exe
PID 1380 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\rss\csrss.exe
PID 1380 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe C:\Windows\rss\csrss.exe
PID 3168 wrote to memory of 4640 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 4640 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 4640 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 1828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 1828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 1828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 1544 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 1544 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 1544 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 2144 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3168 wrote to memory of 2144 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3300 wrote to memory of 3108 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 3108 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 3108 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3108 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3108 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe

"C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe

"C:\Users\Admin\AppData\Local\Temp\f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5c017c71-4da2-4c1a-8ada-9b725767b21f.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 server15.thestatsfiles.ru udp
US 162.159.134.233:443 cdn.discordapp.com tcp
N/A 127.0.0.1:3478 udp
BG 185.82.216.96:443 server15.thestatsfiles.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server15.thestatsfiles.ru tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.96:443 server15.thestatsfiles.ru tcp
BG 185.82.216.96:443 server15.thestatsfiles.ru tcp

Files

memory/4800-1-0x0000000002A90000-0x0000000002E95000-memory.dmp

memory/4800-2-0x0000000002EA0000-0x000000000378B000-memory.dmp

memory/4800-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1656-4-0x00000000749BE000-0x00000000749BF000-memory.dmp

memory/1656-5-0x0000000004FF0000-0x0000000005026000-memory.dmp

memory/1656-7-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/1656-6-0x00000000056C0000-0x0000000005CEA000-memory.dmp

memory/1656-8-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/1656-9-0x00000000055D0000-0x00000000055F2000-memory.dmp

memory/1656-11-0x0000000005F10000-0x0000000005F76000-memory.dmp

memory/1656-10-0x0000000005EA0000-0x0000000005F06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ghmgs5ku.zqh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1656-20-0x00000000060A0000-0x00000000063F7000-memory.dmp

memory/1656-21-0x0000000006490000-0x00000000064AE000-memory.dmp

memory/1656-22-0x0000000006540000-0x000000000658C000-memory.dmp

memory/1656-23-0x0000000006A00000-0x0000000006A46000-memory.dmp

memory/1656-26-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/1656-25-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/1656-24-0x00000000078C0000-0x00000000078F4000-memory.dmp

memory/1656-27-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/1656-36-0x0000000007900000-0x000000000791E000-memory.dmp

memory/1656-37-0x0000000007920000-0x00000000079C4000-memory.dmp

memory/1656-38-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/1656-39-0x0000000008090000-0x000000000870A000-memory.dmp

memory/1656-40-0x0000000007A40000-0x0000000007A5A000-memory.dmp

memory/1656-41-0x0000000007A80000-0x0000000007A8A000-memory.dmp

memory/1656-42-0x0000000007B90000-0x0000000007C26000-memory.dmp

memory/1656-43-0x0000000007AA0000-0x0000000007AB1000-memory.dmp

memory/1656-44-0x0000000007AF0000-0x0000000007AFE000-memory.dmp

memory/1656-45-0x0000000007B00000-0x0000000007B15000-memory.dmp

memory/1656-46-0x0000000007B50000-0x0000000007B6A000-memory.dmp

memory/1656-47-0x0000000007B70000-0x0000000007B78000-memory.dmp

memory/4800-48-0x0000000002EA0000-0x000000000378B000-memory.dmp

memory/1656-51-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/1380-55-0x0000000002A40000-0x0000000002E45000-memory.dmp

memory/4800-54-0x0000000002A90000-0x0000000002E95000-memory.dmp

memory/4800-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2480-64-0x0000000005C40000-0x0000000005F97000-memory.dmp

memory/2480-65-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/2480-66-0x0000000070E50000-0x00000000711A7000-memory.dmp

memory/2480-75-0x0000000007390000-0x0000000007434000-memory.dmp

memory/2480-76-0x00000000076C0000-0x00000000076D1000-memory.dmp

memory/2480-77-0x0000000007710000-0x0000000007725000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4516-81-0x00000000061B0000-0x0000000006507000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e315a1cf205fe7f6cc573cc20dcb609a
SHA1 97235b072d6853a950b893e88565d4d97dede2da
SHA256 6d2ab43022a1e1129e34ec985df01000ee49cce0937c4a24ea5a4328c1041502
SHA512 33e8dad1a80d6ea7c83d18f4a04bd9903bf8d77f2edec182711f65580e10426a90d1610afbe237a246fabf3e0822602786c7ea5a2bdae259b9e5c80ed9216a7a

memory/4516-91-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/4516-92-0x0000000070E70000-0x00000000711C7000-memory.dmp

memory/3848-110-0x0000000005DC0000-0x0000000006117000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 25ab2e36a7c5dadfca9053119d251e08
SHA1 4c062a8666b6b7cea05b5b0ecdf5587ee3ce264c
SHA256 3de1ef096d2b56f62e56062dbaeb9488f40dc1871c41c02e3699808fbba9a34e
SHA512 8b0cb0fbc9e60c57dd5290f221d4605a8dce049c102df5e231be03c76c75083cd4aa13c596e1efecfa7104dc82f37f58a9c86dcecc7842547023fc4bf8a1049d

memory/3848-113-0x0000000070DC0000-0x0000000071117000-memory.dmp

memory/3848-112-0x0000000070C20000-0x0000000070C6C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b5b0cf564843c8f1979fe981a0e75027
SHA1 3ea177d17eedd764b842201ef959dc27c02a4a78
SHA256 f1cee50c69222f92109b8f41daaa70585ac7eccdaf1cb5e2f2780c44f5b4ea78
SHA512 671be16fbd66db94ce1c9d0a52ee463f2c3b414a135bff32d49be436068c22cd82bc9bbbcb178172fb60fc2c86028856ca725204fe88385cc4a5f909f14a8432

memory/1380-127-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 79c7f50699169ded28548ae357f7686f
SHA1 8307a8acdd81ecd9443eb75161e7ede2e6ab09c2
SHA256 7f0f580575481f51bfb2ce31edbb1bcfbea16d9204ab7f890bb84a5a37f05b71
SHA512 2394160a7c8d834e7f38b2e73a88baa11de365594a81705e594da2f65788df04a957463d2a7c5ccee6128f0480c47940fedf492dcc9ea071eb090539900b1c49

memory/4640-139-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/4640-140-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/1828-158-0x00000000055E0000-0x0000000005937000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d496fc20a5b737a8aa206190dbe1aacd
SHA1 5900fd51b0ab1485a345abcd47adca20e6d2e692
SHA256 839677a73732912e1fdc9addec73e6cd258ff1cf86e85fbce4b297cb955b06d0
SHA512 69466d122378952d2bc641c6c1ee41138e95e6767532733e823eeacedd352c8bbe19da2c3b6fc06740668d611215bb78d414fa130c50aef14416dc3eaf9e2ef3

memory/1828-160-0x00000000060C0000-0x000000000610C000-memory.dmp

memory/1828-162-0x0000000070CC0000-0x0000000071017000-memory.dmp

memory/1828-161-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/1828-171-0x0000000006E00000-0x0000000006EA4000-memory.dmp

memory/1828-172-0x0000000005950000-0x0000000005961000-memory.dmp

memory/1828-173-0x0000000005990000-0x00000000059A5000-memory.dmp

memory/1544-183-0x0000000006020000-0x0000000006377000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a942ce92c71d212739c172bedc2c9302
SHA1 2620411a986326c4a571e93d1a709057d82374db
SHA256 06f26ba0c7037457227abb6026b952a9a43e503570a61f007e987c6b37aac51b
SHA512 14c51594e132e7f5c7f48f34d5ea19c915487d0c0a63f6f55bd2244b6429b2a816156b8ac74744f70c4a46ce39a0ba369cd2eec05aa03021bb040c61d8c59946

memory/1544-185-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/1544-186-0x0000000070D90000-0x00000000710E7000-memory.dmp

memory/3168-196-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3300-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3168-207-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3644-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3300-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3168-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3644-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3168-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3644-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3168-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3168-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3168-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3168-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3168-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3168-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3168-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3168-242-0x0000000000400000-0x0000000000D1C000-memory.dmp