Malware Analysis Report

2025-01-02 06:27

Sample ID 240516-ss785sbb43
Target f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be
SHA256 f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be

Threat Level: Known bad

The file f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:24

Reported

2024-05-16 15:26

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 312 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 312 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 312 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\system32\cmd.exe
PID 1124 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1124 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2636 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\rss\csrss.exe
PID 2636 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\rss\csrss.exe
PID 2636 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\rss\csrss.exe
PID 4112 wrote to memory of 212 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 212 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 212 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 4348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 4348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 4348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 1216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 1216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 1216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 2052 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4112 wrote to memory of 2052 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2652 wrote to memory of 4604 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 4604 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 4604 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4604 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4604 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe

"C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe

"C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.114:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 114.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.114:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 f6499131-9868-435f-8535-80c736224010.uuid.realupdate.ru udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.realupdate.ru udp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
BG 185.82.216.96:443 server3.realupdate.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server3.realupdate.ru tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.96:443 server3.realupdate.ru tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/312-1-0x0000000002A20000-0x0000000002E26000-memory.dmp

memory/312-2-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/312-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2148-4-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

memory/2148-5-0x0000000005120000-0x0000000005156000-memory.dmp

memory/2148-7-0x0000000005790000-0x0000000005DB8000-memory.dmp

memory/2148-6-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/2148-8-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/2148-9-0x00000000056E0000-0x0000000005702000-memory.dmp

memory/2148-11-0x0000000006090000-0x00000000060F6000-memory.dmp

memory/2148-10-0x0000000005FB0000-0x0000000006016000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h3smmeon.nr3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2148-21-0x0000000006200000-0x0000000006554000-memory.dmp

memory/2148-22-0x0000000006690000-0x00000000066AE000-memory.dmp

memory/2148-23-0x0000000006860000-0x00000000068AC000-memory.dmp

memory/2148-24-0x0000000006BF0000-0x0000000006C34000-memory.dmp

memory/2148-25-0x00000000079C0000-0x0000000007A36000-memory.dmp

memory/2148-26-0x00000000080C0000-0x000000000873A000-memory.dmp

memory/2148-27-0x0000000007A60000-0x0000000007A7A000-memory.dmp

memory/2148-29-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/2148-28-0x0000000007C20000-0x0000000007C52000-memory.dmp

memory/2148-41-0x0000000007C60000-0x0000000007C7E000-memory.dmp

memory/2148-31-0x0000000070D30000-0x0000000071084000-memory.dmp

memory/2148-30-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/2148-42-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/2148-43-0x0000000007C80000-0x0000000007D23000-memory.dmp

memory/2148-44-0x0000000007D70000-0x0000000007D7A000-memory.dmp

memory/2148-45-0x0000000007E80000-0x0000000007F16000-memory.dmp

memory/2148-46-0x0000000007D80000-0x0000000007D91000-memory.dmp

memory/2148-47-0x0000000007DC0000-0x0000000007DCE000-memory.dmp

memory/2148-48-0x0000000007DE0000-0x0000000007DF4000-memory.dmp

memory/2148-49-0x0000000007E30000-0x0000000007E4A000-memory.dmp

memory/2148-50-0x0000000007E20000-0x0000000007E28000-memory.dmp

memory/2148-53-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/2636-55-0x00000000029B0000-0x0000000002DAB000-memory.dmp

memory/2636-56-0x0000000002DB0000-0x000000000369B000-memory.dmp

memory/1496-66-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/1496-67-0x0000000070D30000-0x0000000071084000-memory.dmp

memory/1496-77-0x0000000007700000-0x00000000077A3000-memory.dmp

memory/312-79-0x0000000002A20000-0x0000000002E26000-memory.dmp

memory/312-78-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/312-80-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/1496-81-0x0000000007A30000-0x0000000007A41000-memory.dmp

memory/1496-82-0x0000000007A70000-0x0000000007A84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2164-86-0x00000000061F0000-0x0000000006544000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9996495e91014906c88fbf13b4bdf15b
SHA1 753dc0d4b4b5f5b6785306a72d420df3eac4cf0f
SHA256 a5ce444066ee54040016d82c38b806216ce4ec65b5ed4a5a66f579ebd7a85b70
SHA512 d98eb5b31bf9509449c6481a32be116c078ff882df83a4a1962307c2306308462a697d5c782cf3356c1e68be8f185be60a69b1a6106ee02a408748ebcf709f48

memory/2164-97-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/2164-98-0x0000000071330000-0x0000000071684000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ca0ed8bc7afdb3af9af139fa238a98b6
SHA1 38f732cd1be7d22b6b7b6f72706754a6f3f59391
SHA256 583593404b955a98d356c4d0e8dcbd120f531602b596690976d271696c5645f0
SHA512 b00cb2dcc8315cb555a1cc1699da99349ed0ce9cd6e6be2247cd52eaedf01a8d85d6ca2f0ad523b4820c76561e866b09718bd2c1ff5573a24312e9e13f2e1f19

memory/2548-120-0x0000000070D30000-0x0000000071084000-memory.dmp

memory/2548-119-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/2636-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ad49a14ae62706017f7c473c94c90244
SHA1 580ccc7b4a970fcdf05fcaaa9319db906d8e70ef
SHA256 f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be
SHA512 fe860e91a02ee7e45209930db59f37f0862c6a218f7d32e53abad6f0f3968a928cd031d1ae7ac6b88406254f852dd0a54355f7eac921be69ecec61ce135a8778

memory/2636-135-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e9433a64f4f7250ff69e031dfac069db
SHA1 855e42c382a2ba4d0ed91f641b5797866f388109
SHA256 a45aac4b921e2fff922bdeeed674b2455fa234cb977606b136cab25a322a3945
SHA512 efccefe309bcb0b65bd4ac767b35b0ee5b954ece62b56e817fe43b51d056d11fd9d8968e13afa2d77886efca77248ebb7d1ef6cf583accb960512b3f65e6e83d

memory/212-149-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/212-150-0x0000000071330000-0x0000000071684000-memory.dmp

memory/4348-161-0x0000000005860000-0x0000000005BB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6408dc0f0a66abbb131a650db0bd9933
SHA1 a6dfd7dfc1b7035bdd376c7f0122fa59a6940771
SHA256 c212a759013194d110d733a54276516f29b5ec3344ff43c4153d2aa9b9b7f527
SHA512 b85f474f66504e743bea3c3f245f0968d25cf9dc6b15c641f81390d29ee72aba744f097ec51b015a8b7f5ce01fba5c64ad96698441333f08312e38323c2a58d9

memory/4348-172-0x00000000064D0000-0x000000000651C000-memory.dmp

memory/4348-173-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/4348-174-0x0000000071260000-0x00000000715B4000-memory.dmp

memory/4348-184-0x00000000071B0000-0x0000000007253000-memory.dmp

memory/4348-185-0x0000000007530000-0x0000000007541000-memory.dmp

memory/4348-186-0x0000000005D70000-0x0000000005D84000-memory.dmp

memory/1216-197-0x00000000061C0000-0x0000000006514000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 10b2c230025f6e90e2129904e2906287
SHA1 97965394620470f3e04dcad5d118bc13a839cb60
SHA256 cc832ffe5edebdf1393a3ec494c03d20c3dabb03fe1a17d8c7fcb5249d782038
SHA512 1d07134c3b45095c1bcafa2348fe8fb49e4735bc1564bc787cce49a43fc2b075748b6ddd16e75e3be77fba161073bebbba21b35d9aa1d4738119e05cab5e898f

memory/1216-199-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/1216-200-0x0000000070C50000-0x0000000070FA4000-memory.dmp

memory/4112-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2652-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3156-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2652-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4112-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3156-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4112-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4112-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3156-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4112-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4112-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4112-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4112-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4112-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4112-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4112-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4112-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4112-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:24

Reported

2024-05-16 15:26

Platform

win11-20240508-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\system32\cmd.exe
PID 1560 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\system32\cmd.exe
PID 1160 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1160 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1560 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\rss\csrss.exe
PID 1560 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\rss\csrss.exe
PID 1560 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe C:\Windows\rss\csrss.exe
PID 3360 wrote to memory of 3524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 3524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 3524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 2664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 2664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 2664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 4936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 4936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 4936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 3520 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3360 wrote to memory of 3520 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3548 wrote to memory of 3796 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 3796 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 3796 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3796 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3796 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe

"C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe

"C:\Users\Admin\AppData\Local\Temp\f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 b4275b02-5005-40a4-b9d2-9e5cd105c381.uuid.realupdate.ru udp
US 8.8.8.8:53 server11.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun2.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server11.realupdate.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server11.realupdate.ru tcp
BG 185.82.216.96:443 server11.realupdate.ru tcp

Files

memory/1284-1-0x0000000002A20000-0x0000000002E1E000-memory.dmp

memory/1284-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/1284-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1596-4-0x000000007436E000-0x000000007436F000-memory.dmp

memory/1596-5-0x0000000003460000-0x0000000003496000-memory.dmp

memory/1596-6-0x0000000005B40000-0x000000000616A000-memory.dmp

memory/1596-7-0x0000000074360000-0x0000000074B11000-memory.dmp

memory/1596-8-0x00000000061A0000-0x00000000061C2000-memory.dmp

memory/1596-9-0x0000000006340000-0x00000000063A6000-memory.dmp

memory/1596-10-0x00000000063C0000-0x0000000006426000-memory.dmp

memory/1596-19-0x0000000074360000-0x0000000074B11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jv5rtthc.giq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1596-20-0x0000000006430000-0x0000000006787000-memory.dmp

memory/1596-21-0x0000000006920000-0x000000000693E000-memory.dmp

memory/1596-22-0x0000000006950000-0x000000000699C000-memory.dmp

memory/1596-23-0x0000000006EE0000-0x0000000006F26000-memory.dmp

memory/1596-24-0x0000000007D50000-0x0000000007D84000-memory.dmp

memory/1596-25-0x00000000705D0000-0x000000007061C000-memory.dmp

memory/1596-26-0x0000000074360000-0x0000000074B11000-memory.dmp

memory/1596-27-0x0000000070840000-0x0000000070B97000-memory.dmp

memory/1596-37-0x0000000007DB0000-0x0000000007E54000-memory.dmp

memory/1596-36-0x0000000007D90000-0x0000000007DAE000-memory.dmp

memory/1596-38-0x0000000074360000-0x0000000074B11000-memory.dmp

memory/1596-40-0x0000000007EE0000-0x0000000007EFA000-memory.dmp

memory/1596-39-0x0000000008520000-0x0000000008B9A000-memory.dmp

memory/1596-41-0x0000000007F20000-0x0000000007F2A000-memory.dmp

memory/1596-42-0x0000000008030000-0x00000000080C6000-memory.dmp

memory/1596-43-0x0000000007F40000-0x0000000007F51000-memory.dmp

memory/1596-44-0x0000000007F90000-0x0000000007F9E000-memory.dmp

memory/1596-45-0x0000000007FA0000-0x0000000007FB5000-memory.dmp

memory/1596-46-0x0000000007FF0000-0x000000000800A000-memory.dmp

memory/1596-47-0x0000000007FD0000-0x0000000007FD8000-memory.dmp

memory/1596-50-0x0000000074360000-0x0000000074B11000-memory.dmp

memory/1560-52-0x0000000002A30000-0x0000000002E30000-memory.dmp

memory/984-61-0x0000000005580000-0x00000000058D7000-memory.dmp

memory/984-62-0x00000000705D0000-0x000000007061C000-memory.dmp

memory/984-63-0x0000000070820000-0x0000000070B77000-memory.dmp

memory/984-72-0x0000000006CA0000-0x0000000006D44000-memory.dmp

memory/1284-73-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1284-75-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/1284-74-0x0000000002A20000-0x0000000002E1E000-memory.dmp

memory/984-76-0x0000000006FD0000-0x0000000006FE1000-memory.dmp

memory/984-77-0x0000000007020000-0x0000000007035000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/1468-89-0x00000000060C0000-0x0000000006417000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1fd8fdc1c5d1671a47ded62ca7aa4ed2
SHA1 1345936ff88773e62389e35c2b55b9d0e9328e04
SHA256 71bcc8ab5e7577cb938603b2d0bd4026dbdeef919ee016ef4234dd4a6b0841d6
SHA512 75fbaa4cb4f9d79fbd07cb1dc892ff061052f3e8eb1a73638b8a728b040fc07de7efe09254374b82326457d6f85847263feeff26b1a2770e04a16e69ea01b161

memory/1468-91-0x00000000705D0000-0x000000007061C000-memory.dmp

memory/1468-92-0x0000000070750000-0x0000000070AA7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cbf530714daf8d6830ce572baafe2c7e
SHA1 88a844a24108de5abfe186bd416d3e2585db07a9
SHA256 2742398472bd63ec19799970708a438e0884433f904eea90e0f121b3d3dcec9a
SHA512 eed4aad654f6b00450f96bea7c675c7e0ae67d4658d49978b86abac6fb07e49886e780d84817dfa644f46cfb72432fbcca1f445380f38cf230a974b946565e02

memory/4160-111-0x00000000705D0000-0x000000007061C000-memory.dmp

memory/4160-112-0x0000000070750000-0x0000000070AA7000-memory.dmp

memory/1560-122-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ad49a14ae62706017f7c473c94c90244
SHA1 580ccc7b4a970fcdf05fcaaa9319db906d8e70ef
SHA256 f0ecb66615bd487bce0d474f0e149969301ea51531a7a143b1b1ad8a9b62e0be
SHA512 fe860e91a02ee7e45209930db59f37f0862c6a218f7d32e53abad6f0f3968a928cd031d1ae7ac6b88406254f852dd0a54355f7eac921be69ecec61ce135a8778

memory/1560-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f603fc60692199b462f6447aeb197725
SHA1 0e2f81ef0098398a3169023d5a641179f7d3f96c
SHA256 a94a6f98f2b1f63868c7d8b4936d3776285e4603628cc5db661c23063b97b8fc
SHA512 4c9f332404edfee4ced10eae407d1fbf7d5cbe16445893b89c38e800463c8dfb738daba1b7376f0277daf65e07def7a9aacaacda2863a9b9480bb652c49ecd07

memory/3524-139-0x00000000705D0000-0x000000007061C000-memory.dmp

memory/3524-140-0x0000000070820000-0x0000000070B77000-memory.dmp

memory/2664-158-0x00000000063D0000-0x0000000006727000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c0ce1863a0a8373525605e0a47259456
SHA1 6061758299d5090273bf9a0b23273625ae3a0a75
SHA256 dd773fb3bff183cddaaff4bfa7f69d20136b47408253b59f3f8729c566b63f1d
SHA512 b3e2413972f44a81c70626027cb03a8a481c5ed757a7b9793e764a35651807f99ac366db277371e807af131c34ae58baa306c0695faa01dd9950b7689cb9cb5e

memory/2664-160-0x0000000006860000-0x00000000068AC000-memory.dmp

memory/2664-161-0x00000000704F0000-0x000000007053C000-memory.dmp

memory/2664-162-0x0000000070670000-0x00000000709C7000-memory.dmp

memory/2664-171-0x0000000007A80000-0x0000000007B24000-memory.dmp

memory/2664-172-0x0000000007E00000-0x0000000007E11000-memory.dmp

memory/2664-173-0x0000000006230000-0x0000000006245000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0de3736f1872d70d213607d6626d29ec
SHA1 a415ece1c62a6b08c144a88f570a9a8b71afb537
SHA256 0ead149c62ec19c9a350d64d29683867c5edf78c6e4fcbaf3b7123dd3e5f6fcb
SHA512 0b368950d896cd45748a8da39482a7229719589460deb321fb9b10a50f9e318f00f6fa9066d0e29cacd4887b22212c51df5f82ba982cc0c1f06f2d12206ed6c9

memory/4936-184-0x00000000704F0000-0x000000007053C000-memory.dmp

memory/4936-185-0x0000000070670000-0x00000000709C7000-memory.dmp

memory/3360-195-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3360-203-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3548-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3548-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3360-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1816-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3360-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1816-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3360-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-240-0x0000000000400000-0x0000000000D1C000-memory.dmp