Malware Analysis Report

2024-12-08 02:11

Sample ID 240516-pkl46acc4w
Target b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605
SHA256 b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605

Threat Level: Known bad

The file b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:23

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:23

Reported

2024-05-16 12:25

Platform

win11-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4248 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4248 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\system32\cmd.exe
PID 1948 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\system32\cmd.exe
PID 4076 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4076 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1948 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\rss\csrss.exe
PID 1948 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\rss\csrss.exe
PID 1948 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\rss\csrss.exe
PID 2904 wrote to memory of 4872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 4872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 4872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2168 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2168 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2168 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 3264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 3264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 3264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 1056 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2904 wrote to memory of 1056 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4988 wrote to memory of 4076 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4988 wrote to memory of 4076 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4988 wrote to memory of 4076 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4076 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4076 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4076 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe

"C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe

"C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 6dfe2228-4155-4046-b185-72db11b181d9.uuid.createupdate.org udp
US 8.8.8.8:53 server14.createupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.104:443 server14.createupdate.org tcp
US 74.125.250.129:19302 stun4.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.104:443 server14.createupdate.org tcp
BG 185.82.216.104:443 server14.createupdate.org tcp
BG 185.82.216.104:443 server14.createupdate.org tcp

Files

memory/4248-1-0x0000000002A20000-0x0000000002E21000-memory.dmp

memory/4248-2-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/4248-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3392-4-0x00000000746EE000-0x00000000746EF000-memory.dmp

memory/3392-5-0x0000000005450000-0x0000000005486000-memory.dmp

memory/3392-6-0x0000000005BD0000-0x00000000061FA000-memory.dmp

memory/3392-7-0x00000000746E0000-0x0000000074E91000-memory.dmp

memory/3392-8-0x0000000005940000-0x0000000005962000-memory.dmp

memory/3392-9-0x0000000005AF0000-0x0000000005B56000-memory.dmp

memory/3392-10-0x0000000006200000-0x0000000006266000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t4ysqlct.rnt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3392-20-0x00000000746E0000-0x0000000074E91000-memory.dmp

memory/3392-19-0x00000000063F0000-0x0000000006747000-memory.dmp

memory/3392-21-0x0000000006900000-0x000000000691E000-memory.dmp

memory/3392-22-0x0000000006940000-0x000000000698C000-memory.dmp

memory/3392-23-0x0000000006EE0000-0x0000000006F26000-memory.dmp

memory/3392-24-0x0000000007D40000-0x0000000007D74000-memory.dmp

memory/3392-25-0x0000000070950000-0x000000007099C000-memory.dmp

memory/3392-26-0x0000000070BC0000-0x0000000070F17000-memory.dmp

memory/3392-35-0x0000000007D80000-0x0000000007D9E000-memory.dmp

memory/3392-37-0x0000000007DA0000-0x0000000007E44000-memory.dmp

memory/3392-36-0x00000000746E0000-0x0000000074E91000-memory.dmp

memory/3392-38-0x00000000746E0000-0x0000000074E91000-memory.dmp

memory/3392-39-0x0000000008510000-0x0000000008B8A000-memory.dmp

memory/3392-40-0x0000000007ED0000-0x0000000007EEA000-memory.dmp

memory/3392-41-0x0000000007F10000-0x0000000007F1A000-memory.dmp

memory/3392-42-0x0000000008020000-0x00000000080B6000-memory.dmp

memory/3392-43-0x0000000007F30000-0x0000000007F41000-memory.dmp

memory/3392-44-0x0000000007F80000-0x0000000007F8E000-memory.dmp

memory/3392-45-0x0000000007F90000-0x0000000007FA5000-memory.dmp

memory/3392-46-0x0000000007FE0000-0x0000000007FFA000-memory.dmp

memory/3392-47-0x0000000008000000-0x0000000008008000-memory.dmp

memory/3392-50-0x00000000746E0000-0x0000000074E91000-memory.dmp

memory/4248-52-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/4248-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1948-55-0x0000000002A70000-0x0000000002E74000-memory.dmp

memory/3332-64-0x00000000063D0000-0x0000000006727000-memory.dmp

memory/3332-65-0x00000000068A0000-0x00000000068EC000-memory.dmp

memory/3332-66-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/3332-67-0x0000000070BE0000-0x0000000070F37000-memory.dmp

memory/3332-76-0x0000000007AD0000-0x0000000007B74000-memory.dmp

memory/3332-77-0x0000000007DF0000-0x0000000007E01000-memory.dmp

memory/3332-78-0x0000000007E40000-0x0000000007E55000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4984-87-0x0000000005E00000-0x0000000006157000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6a6184a12ae8a2e16230e5425912fa37
SHA1 310e208ebf8305aa721d7bc806f9b68594dfee7d
SHA256 1bbdb68bda109851536f7a46240aec58b8549b576260b490bbdd0aeb7160390a
SHA512 ab21a6b23bc31c88ad1fd6e2b15ccd8807049838b889c2ac1b3d73a31fece34dfa296dbc139dd4fb342df688739d96d79b9a6694a199c5a889bc27332a376a62

memory/4984-92-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/4984-93-0x0000000070CB0000-0x0000000071007000-memory.dmp

memory/2776-111-0x0000000005FF0000-0x0000000006347000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ec73291ac49ce3ffaec6ab1efc97ee54
SHA1 370b6604d70138a2167ad73b675908b871c7b9ff
SHA256 4f4805e0d5311e517dbcfcdd6056d49b10aa3874b0684120c3b8fe5cc314a0a4
SHA512 f1be9bdb797d76bdfe86b5dd46fdc90e818e0919180114eca6e6f39001dc354904b3c0329321919c971a0479a09531bdc2b25f5d25903f3dda61bbe27c7db8d3

memory/2776-113-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/2776-114-0x0000000070C70000-0x0000000070FC7000-memory.dmp

memory/1948-123-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 caf6b74a2741367baeb0a1a42f639056
SHA1 2c083dfd66539569cfd36fb665d160e726bcd93f
SHA256 b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605
SHA512 87bb0d449ba91d76a87a88eae718336c33972eec8bf6ed74406bc114bd5cf0e0f04e9f96f0ce262f19319ff8a2ddddbfc7e5c60e0dc379ede78212d18bc3f32a

memory/1948-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4872-139-0x00000000057E0000-0x0000000005B37000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b24aa41063d6055599076ba4a3e6ac04
SHA1 5dca0dcbfe381492b6b1216c871e5faf598b1838
SHA256 7a14f5e24c023a3c61124c2092f8a9199461fc71d359581e076c36bf183c8ed2
SHA512 c6d97b50be21e05091f69e58fb4bc01b1a14c36c8c0152be4d678f1e1edd4445365fc8f08e6564c63c9e254d02c7a3ad4d86cb8b413403db73357a8d2277a96c

memory/4872-141-0x0000000006350000-0x000000000639C000-memory.dmp

memory/4872-142-0x00000000709C0000-0x0000000070A0C000-memory.dmp

memory/4872-143-0x0000000070C10000-0x0000000070F67000-memory.dmp

memory/4872-152-0x0000000007040000-0x00000000070E4000-memory.dmp

memory/4872-153-0x00000000071B0000-0x00000000071C1000-memory.dmp

memory/4872-154-0x0000000005B60000-0x0000000005B75000-memory.dmp

memory/2168-164-0x0000000005C70000-0x0000000005FC7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5276d3dc002e4da5f02ad802d95372ea
SHA1 6e81f15877b4e751684b0f9953574b4986a21d16
SHA256 33eedffb722a5a1a253968b5d8b1f060adbc728e13bc516087384fbee79234a8
SHA512 c0fbb9e722fed609ff201387fb9a1daa59fdc56752aab1d4bd929865f077d2c1390c1467595c66269061d7a8dddafe4b3b57a9d5fe26f595e1177d3731dd4538

memory/2168-166-0x0000000006700000-0x000000000674C000-memory.dmp

memory/2168-167-0x00000000708E0000-0x000000007092C000-memory.dmp

memory/2168-168-0x0000000070A60000-0x0000000070DB7000-memory.dmp

memory/2168-177-0x0000000007430000-0x00000000074D4000-memory.dmp

memory/2168-178-0x0000000007620000-0x0000000007631000-memory.dmp

memory/2168-179-0x0000000005BE0000-0x0000000005BF5000-memory.dmp

memory/3264-181-0x00000000062B0000-0x0000000006607000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6853969cde1a23fb9cd30daa5a5ebd5b
SHA1 2f24bd5c0a58f08f6d48f31072dc797d6b86fc57
SHA256 2b0228d8f221c69f3df0de6812778296041fa3b9e5236ca9ce32f0081e284054
SHA512 09c07be280ae69987e4e6c35db27c013b11aa6775630099be0bf79eeee2ae785f83299bf75885dd201b898d87a1af6c345c802bdec83a0b9af7fc0d92210fa0d

memory/3264-191-0x00000000708E0000-0x000000007092C000-memory.dmp

memory/3264-192-0x0000000070B50000-0x0000000070EA7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2904-207-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4988-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2252-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4988-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2904-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2252-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2904-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2904-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2252-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2904-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2904-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2904-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2904-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2904-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2904-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2904-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2904-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2904-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:23

Reported

2024-05-16 12:25

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\system32\cmd.exe
PID 2424 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2424 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1480 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\rss\csrss.exe
PID 1480 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\rss\csrss.exe
PID 1480 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe C:\Windows\rss\csrss.exe
PID 4932 wrote to memory of 2688 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 2688 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 2688 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4508 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4508 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4508 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 3208 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4932 wrote to memory of 3208 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3240 wrote to memory of 5104 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3240 wrote to memory of 5104 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3240 wrote to memory of 5104 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5104 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5104 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe

"C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe

"C:\Users\Admin\AppData\Local\Temp\b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.176:443 www.bing.com tcp
US 8.8.8.8:53 176.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 f901a342-f364-458a-84c3-0d4188381289.uuid.createupdate.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server4.createupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server4.createupdate.org tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.104:443 server4.createupdate.org tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
BG 185.82.216.104:443 server4.createupdate.org tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
BG 185.82.216.104:443 server4.createupdate.org tcp

Files

memory/1084-1-0x0000000002930000-0x0000000002D37000-memory.dmp

memory/1084-2-0x0000000002D40000-0x000000000362B000-memory.dmp

memory/1084-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3176-4-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

memory/3176-5-0x00000000033E0000-0x0000000003416000-memory.dmp

memory/3176-6-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/3176-7-0x0000000005B10000-0x0000000006138000-memory.dmp

memory/3176-8-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/3176-9-0x0000000006140000-0x0000000006162000-memory.dmp

memory/3176-10-0x00000000062E0000-0x0000000006346000-memory.dmp

memory/3176-11-0x0000000006350000-0x00000000063B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmustdst.fk1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3176-21-0x0000000006500000-0x0000000006854000-memory.dmp

memory/3176-22-0x0000000006A50000-0x0000000006A6E000-memory.dmp

memory/3176-23-0x0000000006A80000-0x0000000006ACC000-memory.dmp

memory/3176-24-0x0000000006E40000-0x0000000006E84000-memory.dmp

memory/3176-25-0x0000000007E00000-0x0000000007E76000-memory.dmp

memory/3176-26-0x0000000008500000-0x0000000008B7A000-memory.dmp

memory/3176-27-0x0000000007DA0000-0x0000000007DBA000-memory.dmp

memory/3176-28-0x0000000007FC0000-0x0000000007FF2000-memory.dmp

memory/3176-29-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/3176-31-0x0000000070D30000-0x0000000071084000-memory.dmp

memory/3176-30-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/3176-41-0x0000000008000000-0x000000000801E000-memory.dmp

memory/3176-43-0x0000000008020000-0x00000000080C3000-memory.dmp

memory/3176-42-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/3176-44-0x0000000008110000-0x000000000811A000-memory.dmp

memory/3176-45-0x0000000008220000-0x00000000082B6000-memory.dmp

memory/3176-46-0x0000000008120000-0x0000000008131000-memory.dmp

memory/3176-47-0x0000000008160000-0x000000000816E000-memory.dmp

memory/3176-48-0x0000000008180000-0x0000000008194000-memory.dmp

memory/3176-49-0x00000000081C0000-0x00000000081DA000-memory.dmp

memory/3176-50-0x00000000081B0000-0x00000000081B8000-memory.dmp

memory/3176-53-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/1480-55-0x00000000029E0000-0x0000000002DDF000-memory.dmp

memory/1084-56-0x0000000002930000-0x0000000002D37000-memory.dmp

memory/1084-57-0x0000000002D40000-0x000000000362B000-memory.dmp

memory/4192-67-0x0000000005800000-0x0000000005B54000-memory.dmp

memory/4192-68-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/4192-69-0x0000000070D50000-0x00000000710A4000-memory.dmp

memory/4192-79-0x0000000006F20000-0x0000000006FC3000-memory.dmp

memory/1084-80-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4192-81-0x0000000007230000-0x0000000007241000-memory.dmp

memory/4192-82-0x0000000007280000-0x0000000007294000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4660-86-0x00000000057E0000-0x0000000005B34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e73e3fe50249d90a6731bda423a43750
SHA1 5a28ee0f9c0f8b28c595d7e3d17e7aa535eaabca
SHA256 c14e3a4fe92fa433d9ab105811dec60806481aea0a2f3eca581c8340a240a9a7
SHA512 8267d40deac0bd49bda971d05381bb6d3e5ad3a0f38b1992dee30cd130e6e061b765a4be710d17321d4d2c377683df0f8007c382628f5658e3e74fd01196907f

memory/4660-97-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/4660-98-0x0000000071330000-0x0000000071684000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9a6769eb39bee0d1d29f8a2190e601bd
SHA1 10c37d347c1f7235a60abf8fb71167dba65937a9
SHA256 1cd6e581b3c4b7a4b0a02c8b85e0b23822f7bcd34f23eec5f1f4168ad1179f35
SHA512 74e74588a31fa4ab58a4b31524a65c9cbb4f1283903605f4f5e1a310e3fd31c788ff7cbb9646d45a997f3dd58b7e025fbb0896a798b0aa737c55e5528b69b736

memory/4708-119-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/4708-120-0x0000000071330000-0x0000000071684000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 caf6b74a2741367baeb0a1a42f639056
SHA1 2c083dfd66539569cfd36fb665d160e726bcd93f
SHA256 b75a7d3f089203da96d5f6c042daeb6ca6ef7a1610a6d5ecfec8f18c0e677605
SHA512 87bb0d449ba91d76a87a88eae718336c33972eec8bf6ed74406bc114bd5cf0e0f04e9f96f0ce262f19319ff8a2ddddbfc7e5c60e0dc379ede78212d18bc3f32a

memory/1480-134-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7202ab7c02ccb924ad9bacebb993494a
SHA1 fabe1b64164caea13296ecb61bcdb011e7db5e93
SHA256 27c7bfae23ec04d520ad5ce94ff9a109f88ded58117070f5e828eb9cf1538bcb
SHA512 12d03948ccfd9baa72dd2cdb9c5ac5b03de9d026fa7ebff0e7af1fdde2127299f38a0998f5e41995310fd97e62b8fc1c6d7b45e3d19555615a6b23cc3e096779

memory/2688-148-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/2688-149-0x0000000071330000-0x0000000071684000-memory.dmp

memory/4508-160-0x0000000005BD0000-0x0000000005F24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cf1c79921604c76b0f97fdcf7a8c7ec1
SHA1 95705300d76491a11199cd2563f6a3b3b69cd17c
SHA256 fe1195c6fbcabd74cda3dc6d4b8a95d432b4d5faca958d0729282a8bae274f86
SHA512 8eecc9df54f1b4412b28d45c313088a50bc466dc9af3fcf52f7a5531d393a510eb354d5fe0b396e4662392ded395ea8d634e6aa051967fdb9c7bb32460d0eb35

memory/4508-171-0x00000000062D0000-0x000000000631C000-memory.dmp

memory/4508-173-0x0000000071260000-0x00000000715B4000-memory.dmp

memory/4508-172-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/4508-183-0x00000000074A0000-0x0000000007543000-memory.dmp

memory/4508-184-0x0000000007810000-0x0000000007821000-memory.dmp

memory/4508-185-0x0000000006070000-0x0000000006084000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c82ec23bcd52eff676a7c14cc2bdf54d
SHA1 23d3c0d5cfe4d2ce9d885a037df3afc2e649069b
SHA256 7c57824c801cd55abed8627ebac7157f95c179dacc6ac8170520eb683c9f174e
SHA512 83dabd69d41a3db5dfb1f8049e1c21c9e85c93dc0d7c1a15c35b9466a8e516913f64afd2096f00ddfed46401099cd3e93f7b177acc771f1737ecc09335018d96

memory/4904-197-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/4904-198-0x0000000071260000-0x00000000715B4000-memory.dmp

memory/4932-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3240-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4032-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3240-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4932-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4932-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4032-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4932-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4932-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4032-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4932-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4932-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4932-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4932-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4932-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4932-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4932-254-0x0000000000400000-0x0000000000D1C000-memory.dmp