Malware Analysis Report

2024-12-08 02:05

Sample ID 240516-lqxw3aef4y
Target 4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673
SHA256 4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673

Threat Level: Known bad

The file 4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 09:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 09:44

Reported

2024-05-16 09:47

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4856 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4856 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4856 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\system32\cmd.exe
PID 3844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2088 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3844 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\rss\csrss.exe
PID 3844 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\rss\csrss.exe
PID 3844 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\rss\csrss.exe
PID 1636 wrote to memory of 4880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 4880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 4880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 2016 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 2016 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 2016 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 3328 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1636 wrote to memory of 3328 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3000 wrote to memory of 3304 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 3304 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 3304 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3304 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3304 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3304 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe

"C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe

"C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 248.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 a7d06cef-3694-49b8-ab84-b71a83bf88fd.uuid.myfastupdate.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server15.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.111:443 server15.myfastupdate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server15.myfastupdate.org tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
BG 185.82.216.111:443 server15.myfastupdate.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/4856-1-0x0000000002950000-0x0000000002D58000-memory.dmp

memory/4856-2-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/4856-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/968-4-0x000000007424E000-0x000000007424F000-memory.dmp

memory/968-5-0x0000000004FA0000-0x0000000004FD6000-memory.dmp

memory/968-7-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/968-6-0x0000000005610000-0x0000000005C38000-memory.dmp

memory/968-8-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/968-9-0x0000000005590000-0x00000000055B2000-memory.dmp

memory/968-10-0x0000000005DF0000-0x0000000005E56000-memory.dmp

memory/968-11-0x0000000005E60000-0x0000000005EC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwldvxdl.4po.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/968-21-0x0000000006180000-0x00000000064D4000-memory.dmp

memory/968-22-0x0000000006550000-0x000000000656E000-memory.dmp

memory/968-23-0x0000000006590000-0x00000000065DC000-memory.dmp

memory/968-24-0x0000000006AB0000-0x0000000006AF4000-memory.dmp

memory/968-25-0x0000000007890000-0x0000000007906000-memory.dmp

memory/968-26-0x0000000007F90000-0x000000000860A000-memory.dmp

memory/968-27-0x0000000007930000-0x000000000794A000-memory.dmp

memory/968-30-0x0000000070260000-0x00000000705B4000-memory.dmp

memory/968-40-0x0000000007B20000-0x0000000007B3E000-memory.dmp

memory/968-41-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/968-29-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/968-28-0x0000000007AE0000-0x0000000007B12000-memory.dmp

memory/968-42-0x0000000007B40000-0x0000000007BE3000-memory.dmp

memory/968-43-0x0000000007C30000-0x0000000007C3A000-memory.dmp

memory/968-44-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/968-45-0x0000000007D40000-0x0000000007DD6000-memory.dmp

memory/968-47-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/968-46-0x0000000007C40000-0x0000000007C51000-memory.dmp

memory/968-48-0x0000000007CB0000-0x0000000007CBE000-memory.dmp

memory/968-49-0x0000000007CC0000-0x0000000007CD4000-memory.dmp

memory/968-50-0x0000000007D10000-0x0000000007D2A000-memory.dmp

memory/968-51-0x0000000007D00000-0x0000000007D08000-memory.dmp

memory/968-54-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/3844-56-0x0000000002920000-0x0000000002D19000-memory.dmp

memory/4856-57-0x0000000002950000-0x0000000002D58000-memory.dmp

memory/3844-58-0x0000000002D20000-0x000000000360B000-memory.dmp

memory/3368-64-0x0000000005F20000-0x0000000006274000-memory.dmp

memory/3368-69-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/3368-70-0x0000000070860000-0x0000000070BB4000-memory.dmp

memory/3368-80-0x0000000007720000-0x00000000077C3000-memory.dmp

memory/4856-81-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3368-82-0x0000000007A40000-0x0000000007A51000-memory.dmp

memory/3368-83-0x0000000007A90000-0x0000000007AA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fd3a11a69d94b9b1da54cb302799c1bf
SHA1 2a2821f9cd5e80e217898d71cc34b8d126ad01cb
SHA256 ca9eaa08b88b5bfc6bcd125bb21604c11d11463709fe83abd4d9c17f2fec62b4
SHA512 8e2f00bfe7949b6b47eee496d9b9ad12c8e0428fcff79ce48c9af3b0908229af8c933640be65288e67a1d46ae5fa4203e8669518ea5675e8888895537c1f9c22

memory/2232-97-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/2232-98-0x0000000070260000-0x00000000705B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 70f8b80caad0e80e6aef5300fbd3f38c
SHA1 2f067dce16b6541e09dc499cc7965e4dd69c1048
SHA256 cc287329a524936c40928ef5cba96ef9d8d1af13dfd1ef647b6b1804ab8fe6a8
SHA512 9c474f81350d58fce59ffb20e4f0d7994b25067b1e7ffd918c596dba9b3016b4e608b509bc89be4892c06c83f281e70c56ff4820671e8770f462ba74cf54a668

memory/4676-120-0x0000000070860000-0x0000000070BB4000-memory.dmp

memory/4676-119-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/3844-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ade05b63b500bf30521e60b42e391e81
SHA1 204b3c3caa4d8c98fd93c4e76e61fb7c1bb53b3c
SHA256 4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673
SHA512 07fd4ec3ffa6033b93940c587fa735786e88a0910618c82b5f2c4238f5499b61b406a2e6065d13c0aeef7c060ad662a7c72d484b34e644124f1ee8db7337ef5b

memory/3844-135-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f6d81e38c61d17d06dd0a65544ab4b94
SHA1 e552989139ec538a5b64a6539abe784c5b7065af
SHA256 d3c15f867753dc2b40c47af63d36706df6da0f26dab17dc15911a5ff76842d98
SHA512 c5219bdc384e469eb8deb7cfea2dd8e31ff59c081c55e87b3e1813f0f63605a0e704cd568314314fd3d716eb066977a855083f21b97db4e08836c3e4a0a2de04

memory/4880-148-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/4880-149-0x0000000070860000-0x0000000070BB4000-memory.dmp

memory/2016-170-0x00000000059B0000-0x0000000005D04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2ec3e1527741ed66424f37566db2f23d
SHA1 35fc753974b94165ebee5d7f19924d02840f79ec
SHA256 8127ae29b228c3e4a04a7b31c59f9421a959fcb35326093f8250c0d668e6c667
SHA512 3a8c624daaa68533c0b816bd7e19ac960ae5f9a65ab5cdc1e76bfb426f8a7f7d1ed8d4b0e77fdbcbead2e6f9997b9ce217e73f8be55374b0015a99470202164d

memory/2016-172-0x00000000065C0000-0x000000000660C000-memory.dmp

memory/2016-173-0x0000000070000000-0x000000007004C000-memory.dmp

memory/2016-174-0x0000000070790000-0x0000000070AE4000-memory.dmp

memory/2016-184-0x00000000072D0000-0x0000000007373000-memory.dmp

memory/2016-185-0x00000000075F0000-0x0000000007601000-memory.dmp

memory/2016-186-0x0000000005E80000-0x0000000005E94000-memory.dmp

memory/832-194-0x0000000005950000-0x0000000005CA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6e08e3a46e51d93b1eb69c7071ae76cf
SHA1 279670fa878f2619f7366f83309008e0288f5d01
SHA256 a4bb1ebc9bfd74517341139d53ae7ff5d3f759d84f1a7cb56b77f66d4a913456
SHA512 6184ce924bafd9e50d3e748db270d37dcf1f855239f47b9bd737b20a1e1877d23294aaaca6f9624417d515e64d4a66c1227fba0a98ee2f829a09c93394fabf1d

memory/832-199-0x0000000070000000-0x000000007004C000-memory.dmp

memory/832-200-0x00000000701A0000-0x00000000704F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1636-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3000-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/396-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1636-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3000-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/396-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1636-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1636-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1636-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/396-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1636-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1636-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1636-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1636-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1636-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1636-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1636-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 09:44

Reported

2024-05-16 09:47

Platform

win11-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 732 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 732 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 732 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\system32\cmd.exe
PID 3736 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\system32\cmd.exe
PID 3636 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3636 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3736 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\rss\csrss.exe
PID 3736 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\rss\csrss.exe
PID 3736 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe C:\Windows\rss\csrss.exe
PID 3952 wrote to memory of 1156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 1156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 1156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 3316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 3316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 3316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 2852 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 2852 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 2852 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 3916 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3952 wrote to memory of 3916 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2340 wrote to memory of 3668 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 3668 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 3668 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 3500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3668 wrote to memory of 3500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3668 wrote to memory of 3500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe

"C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe

"C:\Users\Admin\AppData\Local\Temp\4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.111:443 server5.myfastupdate.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server5.myfastupdate.org tcp
BG 185.82.216.111:443 server5.myfastupdate.org tcp
BG 185.82.216.111:443 server5.myfastupdate.org tcp

Files

memory/732-1-0x0000000002A20000-0x0000000002E19000-memory.dmp

memory/732-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/732-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5084-4-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

memory/5084-5-0x0000000002A70000-0x0000000002AA6000-memory.dmp

memory/5084-7-0x0000000005220000-0x000000000584A000-memory.dmp

memory/5084-6-0x0000000074AA0000-0x0000000075251000-memory.dmp

memory/5084-8-0x0000000074AA0000-0x0000000075251000-memory.dmp

memory/5084-9-0x0000000005190000-0x00000000051B2000-memory.dmp

memory/5084-10-0x0000000005980000-0x00000000059E6000-memory.dmp

memory/5084-11-0x00000000059F0000-0x0000000005A56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfxjjwze.cz0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5084-20-0x0000000005A60000-0x0000000005DB7000-memory.dmp

memory/5084-21-0x0000000005F30000-0x0000000005F4E000-memory.dmp

memory/5084-22-0x0000000005F90000-0x0000000005FDC000-memory.dmp

memory/5084-23-0x00000000064C0000-0x0000000006506000-memory.dmp

memory/5084-24-0x0000000007370000-0x00000000073A4000-memory.dmp

memory/5084-26-0x0000000070E90000-0x00000000711E7000-memory.dmp

memory/5084-35-0x0000000074AA0000-0x0000000075251000-memory.dmp

memory/5084-36-0x00000000073B0000-0x00000000073CE000-memory.dmp

memory/5084-37-0x00000000073D0000-0x0000000007474000-memory.dmp

memory/5084-38-0x0000000074AA0000-0x0000000075251000-memory.dmp

memory/5084-25-0x0000000070D10000-0x0000000070D5C000-memory.dmp

memory/5084-40-0x0000000007500000-0x000000000751A000-memory.dmp

memory/5084-39-0x0000000007B40000-0x00000000081BA000-memory.dmp

memory/5084-41-0x0000000007540000-0x000000000754A000-memory.dmp

memory/5084-42-0x0000000007650000-0x00000000076E6000-memory.dmp

memory/5084-43-0x0000000007560000-0x0000000007571000-memory.dmp

memory/5084-44-0x00000000075B0000-0x00000000075BE000-memory.dmp

memory/5084-45-0x00000000075C0000-0x00000000075D5000-memory.dmp

memory/5084-46-0x0000000007610000-0x000000000762A000-memory.dmp

memory/5084-47-0x0000000007630000-0x0000000007638000-memory.dmp

memory/5084-50-0x0000000074AA0000-0x0000000075251000-memory.dmp

memory/732-52-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/732-53-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/3736-55-0x0000000002A60000-0x0000000002E63000-memory.dmp

memory/3744-64-0x00000000060E0000-0x0000000006437000-memory.dmp

memory/3744-65-0x00000000065E0000-0x000000000662C000-memory.dmp

memory/3744-66-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/3744-67-0x0000000070FA0000-0x00000000712F7000-memory.dmp

memory/3744-76-0x00000000076E0000-0x0000000007784000-memory.dmp

memory/3744-77-0x0000000007A10000-0x0000000007A21000-memory.dmp

memory/3744-78-0x0000000007A60000-0x0000000007A75000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 22444af6333323dc54fd4cb6d8d34b5e
SHA1 6c6b50c04bcee112be7a682be1e39d1e00b820da
SHA256 38fd8225fa2062a56f6e6b96f28f2b33bf6a9b9f01d981d1630cbd581d7d0edc
SHA512 bdf5f93fd5f4cac1126f8c69a14670f583cd0f1f5c4a6f6928b33899446663aebe88cb1bbdc403c85c833cc627f3974433dd4dd7f9f81ae47f8ce86ae8333627

memory/1588-92-0x0000000070FA0000-0x00000000712F7000-memory.dmp

memory/1588-91-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/2060-102-0x0000000005B30000-0x0000000005E87000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d2933cd1dcd9583130865a510ab9a89c
SHA1 63d47ffb3e6418ff00e9800a1ef10d1cd2204bd5
SHA256 555fc37a6eea50c3f6ff41ccad91004692ef007cca16f474ac2f8c664e29a0af
SHA512 f34154d6f37a19494f5b46d516ac085181b024547290d08cf10f99a0088ff22792071f2139c361f8ce93f031d4f8521db321c79a02136706d3fc57d0f59f7a78

memory/2060-112-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/2060-113-0x0000000071070000-0x00000000713C7000-memory.dmp

memory/3736-122-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ade05b63b500bf30521e60b42e391e81
SHA1 204b3c3caa4d8c98fd93c4e76e61fb7c1bb53b3c
SHA256 4bb24085d8af36d0914bf5124dc5733cec6604941ae13e096f94633985709673
SHA512 07fd4ec3ffa6033b93940c587fa735786e88a0910618c82b5f2c4238f5499b61b406a2e6065d13c0aeef7c060ad662a7c72d484b34e644124f1ee8db7337ef5b

memory/3736-127-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1156-138-0x0000000005980000-0x0000000005CD7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4410c28183c2019dc449d5eb4ec953c0
SHA1 1ce883d5ed9ed357dbfa637340309bf9115ecd16
SHA256 55daf44f07b262626ac4391d3c044f4f78e27a75889a7ec604d1ba79a8a3a1bf
SHA512 7af84769d46c00e2bc7cd8b73d4612bc3aed62608f792204273b3a938bf4cf7c77fc42c610a983212568c3d1f3889343c8855bedcbf9965ce542fe658efb11bb

memory/1156-140-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

memory/1156-141-0x0000000070D80000-0x0000000070DCC000-memory.dmp

memory/1156-142-0x0000000070F00000-0x0000000071257000-memory.dmp

memory/1156-151-0x00000000070E0000-0x0000000007184000-memory.dmp

memory/1156-152-0x0000000007480000-0x0000000007491000-memory.dmp

memory/1156-153-0x00000000058E0000-0x00000000058F5000-memory.dmp

memory/3316-163-0x0000000005950000-0x0000000005CA7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 26e29a4f6e2e005df0207a236c22761c
SHA1 f7549d9c3527b40e6252a2ac4b19d587dc60c48c
SHA256 3772bc93f3dff5d4d34d855e7f05c59b592dc56798940def399ec556c03c77ed
SHA512 6b79059dd4c271e2337d9f2287f87c5fa1d807e4c71516eb455dd31d088dceb9d919b67f3de8f94113223f3a5e5bd746ca8a2c124b700b7c75f56bbc50132c5d

memory/3316-165-0x0000000005F50000-0x0000000005F9C000-memory.dmp

memory/3316-166-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/3316-167-0x0000000070E20000-0x0000000071177000-memory.dmp

memory/3316-176-0x00000000070C0000-0x0000000007164000-memory.dmp

memory/3316-177-0x0000000007290000-0x00000000072A1000-memory.dmp

memory/3316-178-0x0000000005860000-0x0000000005875000-memory.dmp

memory/2852-180-0x0000000005B90000-0x0000000005EE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1488fb13379d5e718f97bba822bc97a7
SHA1 d7a4a2cb1d1994cd6d81be0e6c0bd60f4dbabafb
SHA256 302edbe6177dbeac0a5f4d59074465f9e4836c7dc0c82d24800b17e3a4aa3ab4
SHA512 071d6a09ca1abb1597831918e62856d9c9313a437af0bdb9c15357def95827d7b7bb12f93f22ae48a11302d663a6c19b3d0b100db67b26df28eb7c1907d28619

memory/2852-190-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/2852-191-0x0000000070EF0000-0x0000000071247000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3952-205-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2340-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2712-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3952-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2340-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2712-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3952-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3952-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2712-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3952-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3952-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3952-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3952-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3952-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3952-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3952-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3952-234-0x0000000000400000-0x0000000000D1C000-memory.dmp