Malware Analysis Report

2024-12-08 02:07

Sample ID 240516-pn3lbada96
Target 1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455
SHA256 1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455

Threat Level: Known bad

The file 1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:29

Reported

2024-05-16 12:32

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\system32\cmd.exe
PID 3084 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3020 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3084 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\rss\csrss.exe
PID 3084 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\rss\csrss.exe
PID 3084 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\rss\csrss.exe
PID 4300 wrote to memory of 5076 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 5076 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 5076 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 4188 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 4188 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 4188 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 4468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 4468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 4468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 3336 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4300 wrote to memory of 3336 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3388 wrote to memory of 3436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3388 wrote to memory of 3436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3388 wrote to memory of 3436 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3436 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3436 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe

"C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe

"C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 8fb2c794-c86c-4257-b9ca-f35bce2a66e1.uuid.myfastupdate.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server13.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.111:443 server13.myfastupdate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
BG 185.82.216.111:443 server13.myfastupdate.org tcp
BG 185.82.216.111:443 server13.myfastupdate.org tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
BE 88.221.83.233:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 233.83.221.88.in-addr.arpa udp
BG 185.82.216.111:443 server13.myfastupdate.org tcp
US 8.8.8.8:53 udp

Files

memory/3364-1-0x0000000002940000-0x0000000002D3C000-memory.dmp

memory/3364-2-0x0000000002D40000-0x000000000362B000-memory.dmp

memory/3364-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1092-4-0x00000000003B0000-0x000000000041D000-memory.dmp

memory/1092-5-0x0000000004F40000-0x0000000004F76000-memory.dmp

memory/1092-6-0x0000000005720000-0x0000000005D48000-memory.dmp

memory/1092-7-0x0000000005540000-0x0000000005562000-memory.dmp

memory/1092-8-0x0000000005E50000-0x0000000005EB6000-memory.dmp

memory/1092-9-0x0000000005EC0000-0x0000000005F26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yjxnjf33.2yl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1092-19-0x0000000006030000-0x0000000006384000-memory.dmp

memory/1092-20-0x00000000064F0000-0x000000000650E000-memory.dmp

memory/1092-21-0x0000000006540000-0x000000000658C000-memory.dmp

memory/1092-22-0x0000000006AC0000-0x0000000006B04000-memory.dmp

memory/1092-23-0x0000000007830000-0x00000000078A6000-memory.dmp

memory/1092-24-0x0000000007F30000-0x00000000085AA000-memory.dmp

memory/1092-25-0x00000000078D0000-0x00000000078EA000-memory.dmp

memory/1092-26-0x0000000007A90000-0x0000000007AC2000-memory.dmp

memory/1092-27-0x00000000705E0000-0x000000007062C000-memory.dmp

memory/1092-28-0x0000000070760000-0x0000000070AB4000-memory.dmp

memory/1092-38-0x0000000007AD0000-0x0000000007AEE000-memory.dmp

memory/1092-39-0x0000000007AF0000-0x0000000007B93000-memory.dmp

memory/1092-40-0x0000000007BE0000-0x0000000007BEA000-memory.dmp

memory/1092-41-0x0000000007CA0000-0x0000000007D36000-memory.dmp

memory/1092-42-0x0000000007C00000-0x0000000007C11000-memory.dmp

memory/1092-43-0x0000000007C40000-0x0000000007C4E000-memory.dmp

memory/1092-44-0x0000000007C50000-0x0000000007C64000-memory.dmp

memory/1092-45-0x0000000007D40000-0x0000000007D5A000-memory.dmp

memory/1092-46-0x0000000007C90000-0x0000000007C98000-memory.dmp

memory/1092-49-0x00000000003B0000-0x000000000041D000-memory.dmp

memory/3084-51-0x0000000002940000-0x0000000002D44000-memory.dmp

memory/3504-61-0x0000000005EC0000-0x0000000006214000-memory.dmp

memory/3504-62-0x00000000705E0000-0x000000007062C000-memory.dmp

memory/3504-63-0x0000000070D60000-0x00000000710B4000-memory.dmp

memory/3504-73-0x0000000007770000-0x0000000007813000-memory.dmp

memory/3504-74-0x0000000007A80000-0x0000000007A91000-memory.dmp

memory/3364-75-0x0000000002940000-0x0000000002D3C000-memory.dmp

memory/3364-76-0x0000000002D40000-0x000000000362B000-memory.dmp

memory/3504-77-0x0000000007AD0000-0x0000000007AE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 64f6524a5c10c9ec550381c71f57d1b2
SHA1 bd650aca9298de9468123a00fda56dc46e053623
SHA256 b78989c1f7f1c8c396e99220a02c0b4056c7c651ff5f81cc22e64451b295d6c4
SHA512 da84fba086ba7cfb79935c56b5b81a71bceb0b2331e88e1b0401f7f4ba39e9256f71bbc6fc00e860a32fbd460b4ce12e292fd475ab912987560cf730a6490356

memory/3048-91-0x00000000705E0000-0x000000007062C000-memory.dmp

memory/3048-92-0x0000000070D60000-0x00000000710B4000-memory.dmp

memory/3364-102-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b7f81e80501e7da575e35aa6247e16fd
SHA1 888b303eae256c01ed3dded1c1885b40e0d4e321
SHA256 29d930cb16f1b32c5a78f3572f9da413e44f3b2b57b2e28fe6d926e72f78d4a0
SHA512 1ff1a0be5f05edc5ac2d14fb8189905b8b2160e498336a67e50e7c9d246b8a2f072c3b13e6d92c3a3f3ed7743ddb43214ce3c865be9e65642314da4b6f4d8575

memory/4448-114-0x00000000705E0000-0x000000007062C000-memory.dmp

memory/4448-115-0x0000000070D60000-0x00000000710B4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 228054e72e146b1a57f58b8cfa987242
SHA1 ee4bcf2ce03194bd4b975ce4b582211900049686
SHA256 1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455
SHA512 4f21b239e1652c35077fed00a56f569c3f838ab40539a5d0a993c3a11475b95230ef93c262d505edeef6bcf699544fa6687fee4a7f50d8427db5d25136324a94

memory/5076-140-0x0000000005600000-0x0000000005954000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b2874a8db0a1b6a7d0abcb5ce9e8d1b0
SHA1 481b7f82edb17203203f30f6f3e8d7bb2f7cff7b
SHA256 1b972821e6f689193692439ce20a579982ac3c09e8aa96fb50e0d8be3160b41b
SHA512 7d2f4d5eb897f36ed249a51d22c240c054faf4a22edca16625d3be8d18449c7919232f97ba2cfb5ba2864cf7b4e8a90c5d3088cbb86fae6d43a08e4e10ba467e

memory/5076-142-0x00000000705E0000-0x000000007062C000-memory.dmp

memory/5076-143-0x0000000070780000-0x0000000070AD4000-memory.dmp

memory/3084-153-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4188-164-0x0000000005E50000-0x00000000061A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a4afe5aa02d50611cb8170101c84fa74
SHA1 92612c64974828fb78b60cba13b511696dd82c58
SHA256 317f1242aaa46d233ca99a3d1b90ca37d8d022e7d7814b33a889e9431fabb033
SHA512 8e7e3f3d9c5d92806dcc5f3ebb1a420fd44173c571c70913b99c890c12642a35007d70d275981bea02cd398f62d280c26255fd0df0ec05c49c44aed083f7811b

memory/4188-166-0x00000000063C0000-0x000000000640C000-memory.dmp

memory/4188-167-0x0000000070500000-0x000000007054C000-memory.dmp

memory/4188-168-0x0000000070680000-0x00000000709D4000-memory.dmp

memory/4188-178-0x00000000075E0000-0x0000000007683000-memory.dmp

memory/4188-179-0x0000000007950000-0x0000000007961000-memory.dmp

memory/4188-180-0x0000000005E10000-0x0000000005E24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a964ccbc1197319208f65d5d5c0e1316
SHA1 1ec899f6893b295795cb17c92a1431ab966e3500
SHA256 f6f38c13dd6c9289c5ef6cbf96059fc0db0e422b9ec4e40fd12a32b592b3d8eb
SHA512 bb991bfd7ca011cec4b9ea777b76e32ec34e48d517c0491a5bcc773b06a046d1d8f1d1891c6a0547034637656ded250583b7fbda48a2a142e768b96588bbb8ac

memory/4468-193-0x0000000070500000-0x000000007054C000-memory.dmp

memory/4468-194-0x0000000070680000-0x00000000709D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4300-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3084-213-0x0000000002940000-0x0000000002D44000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3388-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1092-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3388-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4300-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1092-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4300-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4300-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1092-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4300-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4300-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4300-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4300-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4300-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4300-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4300-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4300-264-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4300-268-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:29

Reported

2024-05-16 12:31

Platform

win11-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3244 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3244 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3244 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\system32\cmd.exe
PID 2352 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\system32\cmd.exe
PID 3184 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3184 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2352 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\rss\csrss.exe
PID 2352 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\rss\csrss.exe
PID 2352 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe C:\Windows\rss\csrss.exe
PID 4440 wrote to memory of 2464 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2464 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2464 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1144 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1144 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1144 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4912 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4912 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4912 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 3696 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4440 wrote to memory of 3696 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2756 wrote to memory of 1944 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1944 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1944 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1944 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1944 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe

"C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe

"C:\Users\Admin\AppData\Local\Temp\1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server6.myfastupdate.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
BG 185.82.216.111:443 server6.myfastupdate.org tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.111:443 server6.myfastupdate.org tcp

Files

memory/3244-1-0x0000000002A20000-0x0000000002E1A000-memory.dmp

memory/3244-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/3244-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4260-4-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

memory/4260-5-0x0000000002D60000-0x0000000002D96000-memory.dmp

memory/4260-6-0x0000000005560000-0x0000000005B8A000-memory.dmp

memory/4260-7-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/4260-8-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/4260-9-0x0000000005BC0000-0x0000000005BE2000-memory.dmp

memory/4260-10-0x0000000005C60000-0x0000000005CC6000-memory.dmp

memory/4260-11-0x0000000005D40000-0x0000000005DA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avqnacfj.mwc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4260-20-0x0000000005DB0000-0x0000000006107000-memory.dmp

memory/4260-21-0x0000000006230000-0x000000000624E000-memory.dmp

memory/4260-22-0x00000000062D0000-0x000000000631C000-memory.dmp

memory/4260-23-0x00000000067C0000-0x0000000006806000-memory.dmp

memory/4260-24-0x0000000007640000-0x0000000007674000-memory.dmp

memory/4260-26-0x0000000071220000-0x0000000071577000-memory.dmp

memory/4260-25-0x0000000071010000-0x000000007105C000-memory.dmp

memory/4260-37-0x00000000076C0000-0x0000000007764000-memory.dmp

memory/4260-36-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/4260-35-0x00000000076A0000-0x00000000076BE000-memory.dmp

memory/4260-38-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/4260-39-0x0000000007E30000-0x00000000084AA000-memory.dmp

memory/4260-40-0x00000000077E0000-0x00000000077FA000-memory.dmp

memory/4260-41-0x0000000007820000-0x000000000782A000-memory.dmp

memory/4260-42-0x00000000078E0000-0x0000000007976000-memory.dmp

memory/4260-43-0x0000000007860000-0x0000000007871000-memory.dmp

memory/4260-44-0x0000000007890000-0x000000000789E000-memory.dmp

memory/4260-45-0x00000000078A0000-0x00000000078B5000-memory.dmp

memory/4260-46-0x00000000079A0000-0x00000000079BA000-memory.dmp

memory/4260-47-0x0000000007980000-0x0000000007988000-memory.dmp

memory/4260-50-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/2352-53-0x0000000002A40000-0x0000000002E39000-memory.dmp

memory/3244-52-0x0000000002A20000-0x0000000002E1A000-memory.dmp

memory/336-62-0x00000000054E0000-0x0000000005837000-memory.dmp

memory/3244-63-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/336-65-0x0000000071010000-0x000000007105C000-memory.dmp

memory/3244-64-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/336-66-0x0000000071280000-0x00000000715D7000-memory.dmp

memory/336-75-0x0000000006D00000-0x0000000006DA4000-memory.dmp

memory/336-76-0x0000000007030000-0x0000000007041000-memory.dmp

memory/336-77-0x0000000007080000-0x0000000007095000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/780-89-0x0000000005C00000-0x0000000005F57000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fd31b422a58907cf1cdc2d2db8b9cbec
SHA1 11fab307f1079ff55cdc1fe4f1ae92adacf90b14
SHA256 0502469c05228078595b5da6778e06eac3c510732a4e6a31011b6febca1781fe
SHA512 5ad501e13adb8615a1fb3c464c79fc64f001f372a4ae10e89e0459c7f6c9ab02b19fa9737b8eda30eca90627c2adb382fed58b335d4353849ad204c5bab24cd9

memory/780-91-0x0000000071010000-0x000000007105C000-memory.dmp

memory/780-92-0x00000000711B0000-0x0000000071507000-memory.dmp

memory/3484-110-0x0000000005FC0000-0x0000000006317000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6ac1b6fb914a1ceee78430f807d44572
SHA1 2b835c14f232a38eacf60ca10838018186929e93
SHA256 b37e9df49506ff05ad8a592bfd8243cbce209aa062186083932f332aa14e3a34
SHA512 f9119c6ee5050e49a728314925a4e80bc0927bf7ad83d2338b91ac93378aa7d605df06a48e4300bcaacd7fc49a89171a8a5d6e7520fbcf5036f3e2056c6835d1

memory/3484-112-0x0000000071010000-0x000000007105C000-memory.dmp

memory/3484-113-0x0000000071260000-0x00000000715B7000-memory.dmp

memory/2352-123-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 228054e72e146b1a57f58b8cfa987242
SHA1 ee4bcf2ce03194bd4b975ce4b582211900049686
SHA256 1b98ba862a163be6aa7d6c3b70b97e5e6638aa4af37ab38e98d21a04d8a29455
SHA512 4f21b239e1652c35077fed00a56f569c3f838ab40539a5d0a993c3a11475b95230ef93c262d505edeef6bcf699544fa6687fee4a7f50d8427db5d25136324a94

memory/2352-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1b2c3e569908eb4a48396d21d7057b0d
SHA1 2213464118ea4232facbf89ddaf5a97b39143a32
SHA256 0e443c4a7de9bf09672d53e842140c13e712afd56a382fb3b15e64ef31c3e8ae
SHA512 6e836a13d0d553884a99f0679984d89956b7c37fbe43fd4be91b14106bc553706c1aa0dea759372a6335319184d9c8d9101a5fe7869e61546460a7299de92be8

memory/2464-141-0x0000000071220000-0x0000000071577000-memory.dmp

memory/2464-140-0x0000000071010000-0x000000007105C000-memory.dmp

memory/1144-156-0x0000000005E50000-0x00000000061A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cd6356ea03830a07e57ed86c5afef1d6
SHA1 b6cc6ae7d368dad42ed5b766aa60d620745ccbec
SHA256 48b5f3393cff93e989374fe4be7b920a373e556730c89cb5503841d39778ac28
SHA512 ab03a7aa33b3e9eb9604b7b411d19a1ad77c64767ee93b01086f4f29c83fbd0b4b500b8bb100ffd149f939ac13f7ec6bed83ce980c088fbb6acadcbd4337a8bc

memory/1144-161-0x0000000006730000-0x000000000677C000-memory.dmp

memory/1144-162-0x0000000070F30000-0x0000000070F7C000-memory.dmp

memory/1144-163-0x0000000071180000-0x00000000714D7000-memory.dmp

memory/1144-172-0x0000000007610000-0x00000000076B4000-memory.dmp

memory/1144-173-0x0000000007980000-0x0000000007991000-memory.dmp

memory/1144-174-0x00000000061D0000-0x00000000061E5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 056960de5b247a0ef6fac83ab6838615
SHA1 812896930d67dd11fb204092b9b37f7905aa90c4
SHA256 b8e4d6ca14554ce1a2df0ff6023f10f7d717fd8ee7f69fd7337980e18ff3962f
SHA512 707779b2f8cc3c8205914717dfe9d38447ed79f15cc2257e63913e207a7bdfe291f464abc4ec1a48e610471553d15fb48270f016d3954b6218654de976ae5b08

memory/4912-186-0x0000000070F30000-0x0000000070F7C000-memory.dmp

memory/4912-187-0x0000000071180000-0x00000000714D7000-memory.dmp

memory/4440-197-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2756-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4440-207-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3232-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2756-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4440-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3232-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4440-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3232-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4440-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-242-0x0000000000400000-0x0000000000D1C000-memory.dmp