Malware Analysis Report

2024-12-08 02:10

Sample ID 240516-p5dnhsde8y
Target 3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3
SHA256 3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3

Threat Level: Known bad

The file 3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:54

Reported

2024-05-16 12:57

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\system32\cmd.exe
PID 808 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\system32\cmd.exe
PID 5012 wrote to memory of 1164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5012 wrote to memory of 1164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 808 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\rss\csrss.exe
PID 808 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\rss\csrss.exe
PID 808 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\rss\csrss.exe
PID 540 wrote to memory of 3372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 3372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 3372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2860 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4440 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 540 wrote to memory of 4440 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3452 wrote to memory of 2332 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 2332 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 2332 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2332 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2332 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe

"C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe

"C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.122:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 122.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 e18d37cc-c086-4aed-ac6d-474f2431f866.uuid.realupdate.ru udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server14.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.96:443 server14.realupdate.ru tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
BG 185.82.216.96:443 server14.realupdate.ru tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BG 185.82.216.96:443 server14.realupdate.ru tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.96:443 server14.realupdate.ru tcp

Files

memory/2900-1-0x0000000002940000-0x0000000002D46000-memory.dmp

memory/2900-2-0x0000000002D50000-0x000000000363B000-memory.dmp

memory/2900-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2484-4-0x000000007417E000-0x000000007417F000-memory.dmp

memory/2484-5-0x0000000002630000-0x0000000002666000-memory.dmp

memory/2484-7-0x0000000004CE0000-0x0000000005308000-memory.dmp

memory/2484-6-0x0000000074170000-0x0000000074920000-memory.dmp

memory/2484-8-0x0000000074170000-0x0000000074920000-memory.dmp

memory/2484-9-0x0000000004C30000-0x0000000004C52000-memory.dmp

memory/2484-11-0x0000000005570000-0x00000000055D6000-memory.dmp

memory/2484-10-0x0000000005500000-0x0000000005566000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckeamuo4.z0h.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2484-18-0x00000000055E0000-0x0000000005934000-memory.dmp

memory/2484-22-0x0000000005C00000-0x0000000005C1E000-memory.dmp

memory/2484-23-0x0000000005C30000-0x0000000005C7C000-memory.dmp

memory/2484-24-0x0000000006140000-0x0000000006184000-memory.dmp

memory/2484-25-0x0000000006F20000-0x0000000006F96000-memory.dmp

memory/2484-26-0x0000000007620000-0x0000000007C9A000-memory.dmp

memory/2484-27-0x0000000006FC0000-0x0000000006FDA000-memory.dmp

memory/2484-29-0x0000000070010000-0x000000007005C000-memory.dmp

memory/2484-28-0x0000000007170000-0x00000000071A2000-memory.dmp

memory/2484-30-0x0000000074170000-0x0000000074920000-memory.dmp

memory/2484-31-0x0000000070790000-0x0000000070AE4000-memory.dmp

memory/2484-41-0x00000000071B0000-0x00000000071CE000-memory.dmp

memory/2484-42-0x00000000071D0000-0x0000000007273000-memory.dmp

memory/2484-43-0x0000000074170000-0x0000000074920000-memory.dmp

memory/2484-44-0x00000000072C0000-0x00000000072CA000-memory.dmp

memory/2484-45-0x00000000073D0000-0x0000000007466000-memory.dmp

memory/2484-46-0x00000000072D0000-0x00000000072E1000-memory.dmp

memory/2484-47-0x0000000007310000-0x000000000731E000-memory.dmp

memory/2484-48-0x0000000007330000-0x0000000007344000-memory.dmp

memory/2484-49-0x0000000007370000-0x000000000738A000-memory.dmp

memory/2484-50-0x0000000007360000-0x0000000007368000-memory.dmp

memory/2484-53-0x0000000074170000-0x0000000074920000-memory.dmp

memory/808-55-0x0000000002920000-0x0000000002D1E000-memory.dmp

memory/3652-65-0x0000000070010000-0x000000007005C000-memory.dmp

memory/3652-66-0x0000000070790000-0x0000000070AE4000-memory.dmp

memory/3652-76-0x00000000071C0000-0x0000000007263000-memory.dmp

memory/3652-77-0x00000000074F0000-0x0000000007501000-memory.dmp

memory/3652-78-0x0000000007540000-0x0000000007554000-memory.dmp

memory/2900-81-0x0000000002940000-0x0000000002D46000-memory.dmp

memory/2900-82-0x0000000002D50000-0x000000000363B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4452-93-0x0000000005A60000-0x0000000005DB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ad3ab4e1ebc5a16cb77ea8efe90bb559
SHA1 2a840cbc8f405db8c717c1fdfe9ad18ba74937fb
SHA256 3a1a1aea49f9d744f2049a34e0f0acb94371f9ae62853149e072d62185d3b528
SHA512 4f47c4a76cf139ce49d0088962831ead18e4572c79fee585d5aa87937dc4a3534cb2779509f8f2c0dfaae36dacf16a8f519db4a035384e8b150a0607cca9346c

memory/4452-96-0x00000000707C0000-0x0000000070B14000-memory.dmp

memory/4452-95-0x0000000070010000-0x000000007005C000-memory.dmp

memory/4572-116-0x00000000063B0000-0x0000000006704000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 66a6c5d7f78c30a581cb3b2360f08695
SHA1 87dab06aa9771e960306a0d94563d3d8594d4239
SHA256 0e94118c27524bf0022e82afa1544fbe365aedb4f8a3927dbb89c39944e55d94
SHA512 b894b0616d88211fe2559079a1b0cf360f2efaf2d32e09a2edb6b15370d9f8ea9a14a84e766fcdc20c27c4648e83ec48908cc814e8d92a96fa3f0361842101c0

memory/4572-119-0x0000000070010000-0x000000007005C000-memory.dmp

memory/4572-120-0x0000000070190000-0x00000000704E4000-memory.dmp

memory/2900-118-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 29bf67403a5506d111edd28996792b54
SHA1 46c730683e0bf6daccfbf768e06ed2f2f9b8d336
SHA256 3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3
SHA512 bfe2cee450c3f5827d9d6ceaf6318dcfc1b172ddb69031afc7f11342e01833eeaa5a68b9e364291288389eff4053563ee6f1cb628776bc387e2c88a876a4d230

memory/808-134-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2d57188a1227d8d6c4a488913df96286
SHA1 77c2037b127a94ef5fa9a81b2fad7bc547b57aff
SHA256 f48612afd33ef5b3f487b97d8a2812931a2c4b6d3fe1289d80026e887efb69b7
SHA512 9aaab4b873e15698a0fc8876413d59f1d000f9faeddf028a08dfab15130f37a98ed19c8709b05925b1abcf4d5fbfe6b4f68259203d7e2f99d36b42702917ecc7

memory/3372-147-0x0000000070010000-0x000000007005C000-memory.dmp

memory/3372-148-0x0000000070790000-0x0000000070AE4000-memory.dmp

memory/1612-168-0x00000000061D0000-0x0000000006524000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 afecd27bc0b6560b07cd02923e4900af
SHA1 c0c7a936bd960d551dd907351283476e24c2e9c8
SHA256 2963a78922f1e4b6b28eaf629a33d3f0771d65ae07750aac53bc13ba97572e33
SHA512 ac80be7404e72ca80122bed445ea8cef6ab2bf6bcb7240e82b8327b1416a39903f295efe72de6d254f0cad121866f04c5fcff225584ed7bd95ea3c68fafcea11

memory/1612-170-0x00000000065E0000-0x000000000662C000-memory.dmp

memory/1612-171-0x000000006FF30000-0x000000006FF7C000-memory.dmp

memory/1612-172-0x00000000700B0000-0x0000000070404000-memory.dmp

memory/1612-182-0x00000000077F0000-0x0000000007893000-memory.dmp

memory/1612-183-0x0000000007B50000-0x0000000007B61000-memory.dmp

memory/1612-184-0x0000000005DE0000-0x0000000005DF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fed0251730ea75b11989ca2e4e5b85a5
SHA1 9d9052050615108ca983336ffa4d09dd3b9f9176
SHA256 afbb4a8ca695a233f76e5604de5ab4302438d9e7730c2950cae14102d87d7ece
SHA512 58670431a3ee31eb39b05afc084b9b06ce6189b247fa7647d4fafa6e385951f001f54974787d8bc0a351c3c9f8d68e0377bd7f23df267c4d5735d8c85287b3f6

memory/2860-196-0x000000006FF30000-0x000000006FF7C000-memory.dmp

memory/2860-197-0x00000000700B0000-0x0000000070404000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/540-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3452-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2588-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3452-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/540-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2588-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/540-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/540-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2588-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/540-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/540-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/540-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/540-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/540-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/540-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/540-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/540-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/540-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:54

Reported

2024-05-16 12:56

Platform

win11-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 888 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 888 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 888 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\system32\cmd.exe
PID 2476 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2624 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2476 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\rss\csrss.exe
PID 2476 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\rss\csrss.exe
PID 2476 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe C:\Windows\rss\csrss.exe
PID 1468 wrote to memory of 3232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 3232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 3232 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 4968 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 4968 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 4968 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 3876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 3876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 3876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 720 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1468 wrote to memory of 720 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1336 wrote to memory of 4056 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 4056 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 4056 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4056 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4056 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe

"C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe

"C:\Users\Admin\AppData\Local\Temp\3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 907fad7e-d817-4708-ac10-7da76de34879.uuid.realupdate.ru udp
US 8.8.8.8:53 server7.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 3.33.249.248:3478 stun.sipgate.net udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server7.realupdate.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server7.realupdate.ru tcp
BG 185.82.216.96:443 server7.realupdate.ru tcp
BG 185.82.216.96:443 server7.realupdate.ru tcp

Files

memory/888-1-0x0000000002AB0000-0x0000000002EB3000-memory.dmp

memory/888-2-0x0000000002EC0000-0x00000000037AB000-memory.dmp

memory/888-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3396-4-0x00000000749EE000-0x00000000749EF000-memory.dmp

memory/3396-5-0x0000000002C50000-0x0000000002C86000-memory.dmp

memory/3396-6-0x0000000005510000-0x0000000005B3A000-memory.dmp

memory/3396-7-0x00000000749E0000-0x0000000075191000-memory.dmp

memory/3396-8-0x00000000749E0000-0x0000000075191000-memory.dmp

memory/3396-9-0x0000000005480000-0x00000000054A2000-memory.dmp

memory/3396-11-0x0000000005C20000-0x0000000005C86000-memory.dmp

memory/3396-10-0x0000000005BB0000-0x0000000005C16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4iiqctsf.pp0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3396-20-0x0000000005C90000-0x0000000005FE7000-memory.dmp

memory/3396-21-0x0000000006150000-0x000000000616E000-memory.dmp

memory/3396-22-0x0000000006170000-0x00000000061BC000-memory.dmp

memory/3396-23-0x00000000066B0000-0x00000000066F6000-memory.dmp

memory/3396-25-0x0000000070C50000-0x0000000070C9C000-memory.dmp

memory/3396-24-0x0000000007540000-0x0000000007574000-memory.dmp

memory/3396-37-0x00000000075C0000-0x0000000007664000-memory.dmp

memory/3396-36-0x00000000749E0000-0x0000000075191000-memory.dmp

memory/3396-35-0x00000000075A0000-0x00000000075BE000-memory.dmp

memory/3396-38-0x00000000749E0000-0x0000000075191000-memory.dmp

memory/3396-26-0x0000000070DD0000-0x0000000071127000-memory.dmp

memory/3396-39-0x0000000007D20000-0x000000000839A000-memory.dmp

memory/3396-40-0x00000000076E0000-0x00000000076FA000-memory.dmp

memory/3396-41-0x0000000007720000-0x000000000772A000-memory.dmp

memory/3396-42-0x0000000007830000-0x00000000078C6000-memory.dmp

memory/3396-43-0x0000000007740000-0x0000000007751000-memory.dmp

memory/3396-44-0x0000000007790000-0x000000000779E000-memory.dmp

memory/3396-45-0x00000000077A0000-0x00000000077B5000-memory.dmp

memory/3396-46-0x00000000077F0000-0x000000000780A000-memory.dmp

memory/3396-47-0x0000000007810000-0x0000000007818000-memory.dmp

memory/3396-50-0x00000000749E0000-0x0000000075191000-memory.dmp

memory/2476-52-0x0000000002A60000-0x0000000002E5F000-memory.dmp

memory/4164-61-0x0000000070C50000-0x0000000070C9C000-memory.dmp

memory/4164-62-0x0000000070DD0000-0x0000000071127000-memory.dmp

memory/4164-71-0x0000000007470000-0x0000000007514000-memory.dmp

memory/4164-72-0x0000000007790000-0x00000000077A1000-memory.dmp

memory/888-73-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/888-75-0x0000000002EC0000-0x00000000037AB000-memory.dmp

memory/888-74-0x0000000002AB0000-0x0000000002EB3000-memory.dmp

memory/4164-76-0x00000000077E0000-0x00000000077F5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3344-81-0x00000000060E0000-0x0000000006437000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6394bea8474da90869c108a24c5d3c18
SHA1 224b6be6ee007e1b19161676650c07aa0401fd08
SHA256 000dc547e36a2e8e055c33a32cba97e1e9ba6958757c980ccf7a30dd3bdbf4af
SHA512 f0d758e57f710c3eddfb5c5742ca032744b0dd7c78728a21664782c847b4012764ea261eb34ca19371193db15881be6202951d75b9d222f1ac8a0f6b118e50c4

memory/3344-90-0x0000000070C50000-0x0000000070C9C000-memory.dmp

memory/3344-91-0x0000000070EA0000-0x00000000711F7000-memory.dmp

memory/3052-109-0x0000000006260000-0x00000000065B7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d2f4af4ea984824f9f352abd9864afcd
SHA1 92e6b76b96d5a8aa70d17f57d55a203a017d3023
SHA256 1327c95bd906c735edddf0c7f32234dc555d7fb3890cdae2749fcf131faa343b
SHA512 5b38d0c5061fe760ea585e3d02dabfd6bab6ebf2b95245693edd9cceeedb39f0f6672f252dc7489720460d927716413567bec566a098754a534f7898ed6ea144

memory/3052-111-0x0000000070C50000-0x0000000070C9C000-memory.dmp

memory/3052-112-0x0000000070DF0000-0x0000000071147000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 29bf67403a5506d111edd28996792b54
SHA1 46c730683e0bf6daccfbf768e06ed2f2f9b8d336
SHA256 3c14475bc545453113431692f26fc24970ddde726c42898a435620d3fd1742f3
SHA512 bfe2cee450c3f5827d9d6ceaf6318dcfc1b172ddb69031afc7f11342e01833eeaa5a68b9e364291288389eff4053563ee6f1cb628776bc387e2c88a876a4d230

memory/2476-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3232-136-0x00000000060C0000-0x0000000006417000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 38330e26f2e8e2b952453ad99de96d9a
SHA1 3d9cfa8ebef2d81c817acd3d03dc0b28512c83c9
SHA256 e49791292bfe6a615a5f4a443fcffe9a9810a2e3cb669a9133e2a38b01e4fe95
SHA512 e5989e04d677be27e16088f94ec83587dd55b2da329fc581dbb09298d432e0db2a95103cc75bba206c41845bbc81627b22f0e430085e2a60494372ddd214203b

memory/3232-138-0x0000000070C50000-0x0000000070C9C000-memory.dmp

memory/3232-139-0x0000000070E60000-0x00000000711B7000-memory.dmp

memory/4968-158-0x0000000005F70000-0x00000000062C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e24b3622f4ba527d71f21b4c3952e621
SHA1 553430d0a649fe10fc3ef994655ebb869a4bca4f
SHA256 75fe798229d66e1bfcce8f25efebb3bfd5645e9a35930bcbc12ab6b429ff1c11
SHA512 21ffdfaae8035b269eca07e547706f4d8c734e1284c57522b39d745911a01159b5b93b203ebe856de05cfa6f91e7e5c0db102fa0f1c5bb59117d929eb154633e

memory/4968-160-0x0000000006460000-0x00000000064AC000-memory.dmp

memory/4968-161-0x0000000070B70000-0x0000000070BBC000-memory.dmp

memory/4968-162-0x0000000070D10000-0x0000000071067000-memory.dmp

memory/4968-171-0x0000000007640000-0x00000000076E4000-memory.dmp

memory/4968-172-0x00000000079C0000-0x00000000079D1000-memory.dmp

memory/4968-173-0x00000000056F0000-0x0000000005705000-memory.dmp

memory/3876-183-0x0000000005900000-0x0000000005C57000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bcd21f1e19e938df5cecd41941e00bee
SHA1 33b6f3aef8dcad7e5f70543d4c0e29008ee16aa5
SHA256 a053257bfd9022f6582d3018304b373aef5ebbf3a0471d3cae577dc0c49a96ad
SHA512 83c8885cb880a1f7ab871dc61e6969c28658894ce74512abe5ba49f6918192ac36e8e80f02db42296e49fe7dff4844f964f98698a855d623229958393ece54b7

memory/3876-185-0x0000000070B70000-0x0000000070BBC000-memory.dmp

memory/3876-186-0x0000000070D80000-0x00000000710D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1468-201-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1336-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4656-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1336-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1468-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1468-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4656-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1468-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4656-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1468-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1468-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1468-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1468-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1468-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1468-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1468-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1468-241-0x0000000000400000-0x0000000000D1C000-memory.dmp