Malware Analysis Report

2024-12-08 02:04

Sample ID 240516-ls68hsfc28
Target eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f
SHA256 eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f

Threat Level: Known bad

The file eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 09:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 09:48

Reported

2024-05-16 09:51

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4076 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4076 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4004 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4004 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4004 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4004 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\system32\cmd.exe
PID 4444 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4444 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4004 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4004 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4004 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4004 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4004 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4004 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4004 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\rss\csrss.exe
PID 4004 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\rss\csrss.exe
PID 4004 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\rss\csrss.exe
PID 2212 wrote to memory of 2624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2212 wrote to memory of 2624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2212 wrote to memory of 2624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2212 wrote to memory of 2328 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2212 wrote to memory of 2328 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2212 wrote to memory of 2328 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2212 wrote to memory of 2156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2212 wrote to memory of 2156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2212 wrote to memory of 2156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2212 wrote to memory of 2320 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2212 wrote to memory of 2320 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3448 wrote to memory of 3864 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 3864 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 3864 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3864 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3864 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3864 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe

"C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe

"C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.120:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 120.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 2.17.107.120:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 429c94ed-6908-426a-abc0-c6ad1dd46dc0.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server1.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.108:443 server1.databaseupgrade.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server1.databaseupgrade.ru tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.108:443 server1.databaseupgrade.ru tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/4076-1-0x0000000002960000-0x0000000002D5E000-memory.dmp

memory/4076-2-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/4076-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2856-4-0x000000007429E000-0x000000007429F000-memory.dmp

memory/2856-5-0x0000000005140000-0x0000000005176000-memory.dmp

memory/2856-6-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/2856-7-0x0000000005860000-0x0000000005E88000-memory.dmp

memory/2856-8-0x0000000005780000-0x00000000057A2000-memory.dmp

memory/2856-9-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/2856-11-0x00000000060F0000-0x0000000006156000-memory.dmp

memory/2856-10-0x0000000006080000-0x00000000060E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iks4i1vy.xbu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2856-21-0x0000000006160000-0x00000000064B4000-memory.dmp

memory/2856-23-0x0000000006770000-0x00000000067BC000-memory.dmp

memory/2856-22-0x0000000006720000-0x000000000673E000-memory.dmp

memory/2856-24-0x0000000006C90000-0x0000000006CD4000-memory.dmp

memory/2856-25-0x0000000007A60000-0x0000000007AD6000-memory.dmp

memory/2856-26-0x0000000008160000-0x00000000087DA000-memory.dmp

memory/2856-27-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

memory/2856-29-0x0000000070130000-0x000000007017C000-memory.dmp

memory/2856-28-0x0000000007CA0000-0x0000000007CD2000-memory.dmp

memory/2856-30-0x00000000702B0000-0x0000000070604000-memory.dmp

memory/2856-41-0x0000000007CE0000-0x0000000007CFE000-memory.dmp

memory/2856-39-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/2856-42-0x0000000007D00000-0x0000000007DA3000-memory.dmp

memory/2856-44-0x0000000007DF0000-0x0000000007DFA000-memory.dmp

memory/2856-43-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/2856-45-0x0000000007EB0000-0x0000000007F46000-memory.dmp

memory/2856-46-0x0000000007E10000-0x0000000007E21000-memory.dmp

memory/2856-47-0x0000000007E50000-0x0000000007E5E000-memory.dmp

memory/2856-48-0x0000000007E60000-0x0000000007E74000-memory.dmp

memory/2856-49-0x0000000007F50000-0x0000000007F6A000-memory.dmp

memory/2856-50-0x0000000007EA0000-0x0000000007EA8000-memory.dmp

memory/2856-53-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/4004-55-0x0000000002960000-0x0000000002D67000-memory.dmp

memory/3472-62-0x0000000005610000-0x0000000005964000-memory.dmp

memory/3472-66-0x0000000070130000-0x000000007017C000-memory.dmp

memory/3472-67-0x00000000708B0000-0x0000000070C04000-memory.dmp

memory/3472-77-0x0000000006E30000-0x0000000006ED3000-memory.dmp

memory/4076-79-0x0000000002960000-0x0000000002D5E000-memory.dmp

memory/4076-78-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4076-80-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/3472-81-0x0000000007140000-0x0000000007151000-memory.dmp

memory/3472-82-0x0000000007190000-0x00000000071A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f588c0df1734e5c86c9643386356167a
SHA1 8648299207ee063d00033d3e345e031c33cfa2ae
SHA256 be6a7d5de41eb4fcc41d6c6f0da9d5320f2362628bdfd48c18fa29933c47e0ec
SHA512 eb31e8a88740989e3d82d2e816e5d7b7e7232ce5476b318599b804c3b0316f46927961bd37bdef9a49d94bede398c567d43f2539f6b76f47ca301bfbb321c140

memory/3840-96-0x0000000070130000-0x000000007017C000-memory.dmp

memory/3840-97-0x00000000708B0000-0x0000000070C04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 14fa2b0ff84ebcfc57ba650ff8c8a888
SHA1 160f07f33e9c93e28949d8096b8d773e0c6164ee
SHA256 48bbbd9c5c08e789cac832f4ddfb6cf55e4afbd4753cc90e39cf6bed3bbc5a8f
SHA512 0c4e4257d46e4d6a3ae4f840fcf1f5fd10c9962d60edcf91ce1d09f8da4e9147fdf9b062e836447d9f1330670a9416239948bf07f1c6fd81dfac35574e4bf58f

memory/1720-118-0x0000000070130000-0x000000007017C000-memory.dmp

memory/1720-119-0x00000000708B0000-0x0000000070C04000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 fcf55da713972b81c3d11a0e4841d371
SHA1 ac62de1e809b67b0632dce378038c96e5764b475
SHA256 eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f
SHA512 51edd04cd6c1cf1b618e24e6e1d777400316b8705e27737d20f78fff0aa78daf7b306da0b9a1972b864d31b66d027b92531694aea2893a16a9f52c106e74fb69

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3ffc79b6e397449b7b1d25e2fe5ea58c
SHA1 872ebea74745afadf38b749aa7cc90ad8e4d2235
SHA256 8bd03cc85d3d1a7480063cc540d80883c7c0b5b5e32b755c843a52c16793aa06
SHA512 e9447e55abc4f592a86c23b53e0614092b1f586703abaef627242c1f0356237780419bae49f4cef5c86e01fa969088d46fff469c58cb8e17ffe47b34fd8f15b4

memory/4004-145-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2624-147-0x00000000702B0000-0x0000000070604000-memory.dmp

memory/2624-146-0x0000000070130000-0x000000007017C000-memory.dmp

memory/2328-167-0x0000000005B70000-0x0000000005EC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 45c236c56b494b925d2257881e4c8412
SHA1 49242f745022d8ba2ffb952cc6462f877e1c43de
SHA256 ab9b8c62eabc7c5402636cd9fc414d2495ef0e6566280b188cc37cd133f13082
SHA512 18d8f1fbbe4a8b9e4be5c8a6b394674e7acee0ca27ed88e9f7d1ae7c42901b787aace07682f00810612a4185a4bce3acebd61fb0aa59b97a34b02bb5de0c29da

memory/2328-169-0x0000000006250000-0x000000000629C000-memory.dmp

memory/2328-170-0x0000000070050000-0x000000007009C000-memory.dmp

memory/2328-171-0x00000000707E0000-0x0000000070B34000-memory.dmp

memory/2328-181-0x0000000007470000-0x0000000007513000-memory.dmp

memory/2328-182-0x00000000077D0000-0x00000000077E1000-memory.dmp

memory/2328-183-0x0000000006010000-0x0000000006024000-memory.dmp

memory/2156-195-0x0000000005820000-0x0000000005B74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8aa247a634dd96fa209afeecb35df6e0
SHA1 718bd286a54c4153f8c28a5427c1c4cbad141522
SHA256 95d5af1fd4ca676a510b465848d44d70692db6df563a43687898c35ffabb6fe9
SHA512 66e9c744ca36e801c541b149bc7a8becbe05fee3ed637cae0715493b4f1f31cae920182076d56bd999513d2fa0a7e0f40397c6cf9612ecb7afdaff9a5900caa8

memory/2156-197-0x0000000070050000-0x000000007009C000-memory.dmp

memory/2156-198-0x00000000701D0000-0x0000000070524000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2212-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4004-217-0x0000000002960000-0x0000000002D67000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3448-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2624-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3448-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2212-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2624-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2212-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2212-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2624-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2212-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2212-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2212-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2624-250-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2212-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2212-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2212-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2212-262-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2212-269-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2212-272-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 09:48

Reported

2024-05-16 09:51

Platform

win11-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 240 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 240 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 240 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\system32\cmd.exe
PID 4692 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\system32\cmd.exe
PID 4548 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4548 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4692 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\rss\csrss.exe
PID 4692 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\rss\csrss.exe
PID 4692 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe C:\Windows\rss\csrss.exe
PID 2496 wrote to memory of 1452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 1452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 1452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 1644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 1644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 1644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 5092 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 5092 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 5092 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 1496 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2496 wrote to memory of 1496 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4796 wrote to memory of 2432 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 2432 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 2432 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2432 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2432 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe

"C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe

"C:\Users\Admin\AppData\Local\Temp\eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 9adb6df6-1488-4e6e-b29a-39fc7e2ad51a.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server10.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server10.databaseupgrade.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
BG 185.82.216.108:443 server10.databaseupgrade.ru tcp
US 74.125.250.129:19302 stun2.l.google.com udp
IE 52.111.236.22:443 tcp
BG 185.82.216.108:443 server10.databaseupgrade.ru tcp

Files

memory/240-1-0x0000000002A20000-0x0000000002E1B000-memory.dmp

memory/240-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/240-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1964-4-0x00000000745BE000-0x00000000745BF000-memory.dmp

memory/1964-5-0x0000000002E50000-0x0000000002E86000-memory.dmp

memory/1964-6-0x0000000005BE0000-0x000000000620A000-memory.dmp

memory/1964-7-0x00000000745B0000-0x0000000074D61000-memory.dmp

memory/1964-8-0x00000000057D0000-0x00000000057F2000-memory.dmp

memory/1964-9-0x0000000005970000-0x00000000059D6000-memory.dmp

memory/1964-10-0x0000000005B10000-0x0000000005B76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tytuukbb.ha4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1964-20-0x00000000745B0000-0x0000000074D61000-memory.dmp

memory/1964-19-0x0000000006210000-0x0000000006567000-memory.dmp

memory/1964-21-0x0000000006680000-0x000000000669E000-memory.dmp

memory/1964-22-0x0000000006730000-0x000000000677C000-memory.dmp

memory/1964-23-0x0000000006C40000-0x0000000006C86000-memory.dmp

memory/1964-25-0x0000000070820000-0x000000007086C000-memory.dmp

memory/1964-27-0x00000000745B0000-0x0000000074D61000-memory.dmp

memory/1964-36-0x0000000007AF0000-0x0000000007B0E000-memory.dmp

memory/1964-26-0x0000000070A70000-0x0000000070DC7000-memory.dmp

memory/1964-24-0x0000000007AB0000-0x0000000007AE4000-memory.dmp

memory/1964-37-0x0000000007B10000-0x0000000007BB4000-memory.dmp

memory/1964-38-0x00000000745B0000-0x0000000074D61000-memory.dmp

memory/1964-40-0x0000000007C40000-0x0000000007C5A000-memory.dmp

memory/1964-39-0x0000000008280000-0x00000000088FA000-memory.dmp

memory/1964-41-0x0000000007C80000-0x0000000007C8A000-memory.dmp

memory/1964-42-0x0000000007D90000-0x0000000007E26000-memory.dmp

memory/1964-43-0x0000000007CA0000-0x0000000007CB1000-memory.dmp

memory/1964-44-0x0000000007CF0000-0x0000000007CFE000-memory.dmp

memory/1964-45-0x0000000007D00000-0x0000000007D15000-memory.dmp

memory/1964-46-0x0000000007D50000-0x0000000007D6A000-memory.dmp

memory/1964-47-0x0000000007D30000-0x0000000007D38000-memory.dmp

memory/1964-50-0x00000000745B0000-0x0000000074D61000-memory.dmp

memory/4692-52-0x0000000002A30000-0x0000000002E33000-memory.dmp

memory/3064-61-0x0000000006320000-0x0000000006677000-memory.dmp

memory/3064-62-0x0000000070820000-0x000000007086C000-memory.dmp

memory/3064-63-0x00000000709A0000-0x0000000070CF7000-memory.dmp

memory/3064-72-0x0000000007A50000-0x0000000007AF4000-memory.dmp

memory/240-73-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/240-74-0x0000000002A20000-0x0000000002E1B000-memory.dmp

memory/240-75-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/3064-76-0x0000000007D80000-0x0000000007D91000-memory.dmp

memory/3064-77-0x0000000007DF0000-0x0000000007E05000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 48c7e443d58bcd5b25c0ab0890fca142
SHA1 9cea400b972cafbb2150d7797fb6242f6dbd63bc
SHA256 aa7ff657fadc3ff464f9c7005130449ad2c6624b668980e281f4a1af14f85acc
SHA512 e6bc332ddb9464d20a07ff8a2aceebbb3f1b363df76c709bc222516d0e0a5408a44931b46d138d4c2121c88cb27eb0cba9fbf3e5c359a52f658e940433bcb9fa

memory/4636-90-0x0000000070820000-0x000000007086C000-memory.dmp

memory/4636-91-0x00000000709A0000-0x0000000070CF7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 29ff417f9ae6a80cc7510e41a6589af7
SHA1 3d8d7515d00ead303671e8ba1a1841aa581e48ed
SHA256 d4233adae1813aea6401eb72793c0f6b335e56845ab311f959487863619cd8b2
SHA512 f01b62d055e42fce7a5cc958e3a4a469f66adc0cd3515c1631ae7c96b7b543c8485cae987b6d29dbf592a5614356001855158eae04e5d1dbc0a23f30e0a9b719

memory/2008-111-0x00000000709A0000-0x0000000070CF7000-memory.dmp

memory/2008-110-0x0000000070820000-0x000000007086C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 fcf55da713972b81c3d11a0e4841d371
SHA1 ac62de1e809b67b0632dce378038c96e5764b475
SHA256 eb2cc9fdc221b42b700d71f1c38ca90c75eaad21df5c5e5077ae9be2f446f97f
SHA512 51edd04cd6c1cf1b618e24e6e1d777400316b8705e27737d20f78fff0aa78daf7b306da0b9a1972b864d31b66d027b92531694aea2893a16a9f52c106e74fb69

memory/4692-127-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a83647bb1d91a6d4948fefa5ae66c086
SHA1 a3b485784213455f5d71f1a9baaac22aea96da80
SHA256 8d42f0dfa25f265aa986248003a1dd597c758d463a5dc7f19b3be7675caa6424
SHA512 37214a1e1a4ff04d8e840b233ec8baff9bd779e33100d99bb7ebca5823969dc438cd385735dd5ca72dbbe0f249ed440ab6422328c9d65fc401370fc7053cfdd9

memory/1452-137-0x0000000070820000-0x000000007086C000-memory.dmp

memory/1452-138-0x0000000070A70000-0x0000000070DC7000-memory.dmp

memory/1644-156-0x0000000006000000-0x0000000006357000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e716ccf4c04d67c67a3329f4a82b3111
SHA1 0e836b25e01b50b7682b38c95ddeef5b7d6e0244
SHA256 f496f619550fbab5213a0bb3c29fd35f802398d8c13c714dca7eb90b1730f832
SHA512 7efa6b02f5677ec0578281bf54e4ac802c74587976c16cb10529f0478d20892b7ea022ec05ebcd28a5d3264b12f4258be1c6b2773c2213f69e5b316901475763

memory/1644-158-0x0000000006A00000-0x0000000006A4C000-memory.dmp

memory/1644-160-0x00000000708C0000-0x0000000070C17000-memory.dmp

memory/1644-159-0x0000000070740000-0x000000007078C000-memory.dmp

memory/1644-169-0x00000000076D0000-0x0000000007774000-memory.dmp

memory/1644-170-0x0000000007A10000-0x0000000007A21000-memory.dmp

memory/1644-171-0x0000000005F20000-0x0000000005F35000-memory.dmp

memory/5092-181-0x00000000060C0000-0x0000000006417000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 27579ea2e0811d41e78dcff53d5bf3ad
SHA1 0d6b00165fdfb699ae9c78ec1d0e040dda184efc
SHA256 b72da9d68e7d5b805ae420b4b024a19b6f300dbc4e4619be7e73996f2128294e
SHA512 d5d0e48949a9fa487be5b2624314bf5038740a336f9232bb6be871d4253b7005fbeb446cb0aae6443a6157924e676e4e11987afc1c353290f6e61aad35f2ca4b

memory/5092-183-0x0000000070740000-0x000000007078C000-memory.dmp

memory/5092-184-0x0000000070990000-0x0000000070CE7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2496-201-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4692-202-0x0000000002A30000-0x0000000002E33000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4796-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3996-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4796-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2496-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3996-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2496-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2496-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2496-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3996-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2496-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2496-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2496-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2496-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2496-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2496-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2496-253-0x0000000000400000-0x0000000000D1C000-memory.dmp