Malware Analysis Report

2024-12-08 02:11

Sample ID 240516-ssexlaba77
Target f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4
SHA256 f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4

Threat Level: Known bad

The file f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:23

Reported

2024-05-16 15:25

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\system32\cmd.exe
PID 2232 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2232 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1244 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\rss\csrss.exe
PID 1244 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\rss\csrss.exe
PID 1244 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\rss\csrss.exe
PID 4260 wrote to memory of 756 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 756 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 756 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 2584 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 2584 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 2584 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 4704 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 4704 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 4704 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 1536 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4260 wrote to memory of 1536 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1932 wrote to memory of 1664 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1664 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1664 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1664 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1664 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe

"C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe

"C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.161:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 161.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.161:443 www.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 3bcc1cf8-37a9-492b-8955-75ac990aa9d3.uuid.realupdate.ru udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server13.realupdate.ru udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.96:443 server13.realupdate.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 185.82.216.96:443 server13.realupdate.ru tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BG 185.82.216.96:443 server13.realupdate.ru tcp
N/A 127.0.0.1:31465 tcp

Files

memory/2940-1-0x00000000029B0000-0x0000000002DAC000-memory.dmp

memory/2940-2-0x0000000002DB0000-0x000000000369B000-memory.dmp

memory/2940-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3216-4-0x00000000744AE000-0x00000000744AF000-memory.dmp

memory/3216-5-0x00000000033C0000-0x00000000033F6000-memory.dmp

memory/3216-7-0x0000000005B10000-0x0000000006138000-memory.dmp

memory/3216-6-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/3216-8-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/3216-9-0x00000000059A0000-0x00000000059C2000-memory.dmp

memory/3216-10-0x00000000061B0000-0x0000000006216000-memory.dmp

memory/3216-11-0x0000000006220000-0x0000000006286000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ko45c4yq.ncq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3216-21-0x0000000006340000-0x0000000006694000-memory.dmp

memory/3216-22-0x00000000069C0000-0x00000000069DE000-memory.dmp

memory/3216-23-0x0000000006A00000-0x0000000006A4C000-memory.dmp

memory/3216-24-0x0000000006E20000-0x0000000006E64000-memory.dmp

memory/3216-25-0x0000000007B70000-0x0000000007BE6000-memory.dmp

memory/3216-27-0x0000000007B20000-0x0000000007B3A000-memory.dmp

memory/3216-26-0x0000000008270000-0x00000000088EA000-memory.dmp

memory/3216-28-0x0000000007F60000-0x0000000007F92000-memory.dmp

memory/3216-30-0x0000000070340000-0x000000007038C000-memory.dmp

memory/3216-31-0x0000000070A40000-0x0000000070D94000-memory.dmp

memory/3216-29-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/3216-41-0x0000000007FA0000-0x0000000007FBE000-memory.dmp

memory/3216-42-0x0000000007FC0000-0x0000000008063000-memory.dmp

memory/3216-43-0x00000000080B0000-0x00000000080BA000-memory.dmp

memory/3216-44-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/3216-45-0x00000000081C0000-0x0000000008256000-memory.dmp

memory/3216-46-0x00000000080C0000-0x00000000080D1000-memory.dmp

memory/3216-47-0x0000000008100000-0x000000000810E000-memory.dmp

memory/3216-48-0x0000000008120000-0x0000000008134000-memory.dmp

memory/3216-49-0x0000000008170000-0x000000000818A000-memory.dmp

memory/3216-50-0x0000000008160000-0x0000000008168000-memory.dmp

memory/3216-53-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/1244-55-0x00000000029C0000-0x0000000002DBB000-memory.dmp

memory/4816-65-0x0000000005E00000-0x0000000006154000-memory.dmp

memory/4816-66-0x0000000070340000-0x000000007038C000-memory.dmp

memory/4816-67-0x00000000704C0000-0x0000000070814000-memory.dmp

memory/4816-77-0x00000000074B0000-0x0000000007553000-memory.dmp

memory/4816-78-0x00000000077F0000-0x0000000007801000-memory.dmp

memory/4816-79-0x0000000007840000-0x0000000007854000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fe1c6e136f635027ea5af32762740b64
SHA1 1f34aca384394c2afbf4628e91f9a2318454aa99
SHA256 8b320bf89f0de120fa1f1efa0a68606c03440ffbe870bb9100cfb51fa1d2f9ca
SHA512 4487ca011cea443408f816caf0c037cfb5703c1c3164465c9566760e371c1ba842fec30317ff623c169274f36c94f7ec6926ca3f8e06facb6fed8ac8a76578d4

memory/4920-93-0x0000000070340000-0x000000007038C000-memory.dmp

memory/4920-94-0x00000000704C0000-0x0000000070814000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4056fd5139c9db89f1c65565be7d2362
SHA1 8bd9eb1268e5ee75232992bbf4a77c4d12a7872e
SHA256 7ab12a3c07b6b1dd085d34342d5364c3cc0a25ced6b15646e0ad696cb46557ca
SHA512 36a0bf82a1d29120c188a53ae6d3d3f23c1d0f4f02ce803d436dfbf230f007a0d92049b2bf70518346cbc73b86653d16e12430c630f998162e2b6b163cae6f4e

memory/2940-115-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2940-116-0x00000000029B0000-0x0000000002DAC000-memory.dmp

memory/2940-117-0x0000000002DB0000-0x000000000369B000-memory.dmp

memory/1396-118-0x0000000070340000-0x000000007038C000-memory.dmp

memory/1396-119-0x00000000704C0000-0x0000000070814000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7ede9b984254a01a882350f64c82c39d
SHA1 328c389f36ef80ff9e87f77dd4616e836ebbbe80
SHA256 f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4
SHA512 5af9b11e6b5af18cbaae3b37578166bf26745efcb9f27a56027504962be762bf4502f4c43bb80868d872f0505823061c914e85bcaed29646b12baa55d8932e0d

memory/1244-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/756-145-0x0000000005690000-0x00000000059E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 956646098cd392dd52563c571525e0e2
SHA1 516c8192833cf726618d5f2c3a878209817f3a28
SHA256 ba7140bfa477d459c9c68a5a49bee40d1ddf3ac91b594d150276163caa9a5dc7
SHA512 13a9d43d5510fbb9c273064b0428f7ac4b5045b1b3f0ff14f1dba1f87a1b01b1039e7d609ddc8931a7f027d8e7b3c9b78feeec9a862989c27e6f2f95e7f65817

memory/756-148-0x0000000070A80000-0x0000000070DD4000-memory.dmp

memory/756-147-0x0000000070340000-0x000000007038C000-memory.dmp

memory/2584-168-0x0000000006340000-0x0000000006694000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ed4bb3db5398efd13ef4de39bee71a53
SHA1 5e04714b2f3977e30ddc3f802da7ecdd97a7eb6e
SHA256 2465af8934b9a094fc318a78e1c3d63b1093b4548d50c66bbbcd36fdc303274b
SHA512 a1da5f29d340cdd8bfcefcf0be3e5c273ed9ef190f854953d2156e158c513d1ee84eb4392cb98ca02a9e1fabfb7a20fcc01db10ba964c12f0cd8be334a2fa0d0

memory/2584-170-0x0000000006DE0000-0x0000000006E2C000-memory.dmp

memory/2584-172-0x00000000709F0000-0x0000000070D44000-memory.dmp

memory/2584-171-0x0000000070260000-0x00000000702AC000-memory.dmp

memory/2584-182-0x0000000007BF0000-0x0000000007C93000-memory.dmp

memory/2584-183-0x0000000007F30000-0x0000000007F41000-memory.dmp

memory/2584-184-0x0000000006280000-0x0000000006294000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0d981b97ce2654de589378174ff4ed67
SHA1 875c49c3ec8ba46281ee65c6066efddac25e7c57
SHA256 fda29928cf868167a7ce115e6dc2a228f4f147230277e5e19daf12a25122acee
SHA512 8e8d7e2f11fa6ea02e923944b6f035f4cdbe27b2c829d5403b83152154a3cb7fc49b6497096d0134f1940755015cb26cd10120ec7f11e107cb6c364abe824326

memory/4704-197-0x00000000709F0000-0x0000000070D44000-memory.dmp

memory/4704-196-0x0000000070260000-0x00000000702AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4260-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1932-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2072-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1932-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4260-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2072-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4260-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4260-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2072-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4260-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4260-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4260-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4260-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4260-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4260-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4260-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4260-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4260-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:23

Reported

2024-05-16 15:25

Platform

win11-20240508-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\system32\cmd.exe
PID 4400 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\system32\cmd.exe
PID 1388 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1388 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4400 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\rss\csrss.exe
PID 4400 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\rss\csrss.exe
PID 4400 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe C:\Windows\rss\csrss.exe
PID 2868 wrote to memory of 1752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1816 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2176 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2176 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2176 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1856 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2868 wrote to memory of 1856 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4580 wrote to memory of 2148 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 2148 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 2148 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2148 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2148 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe

"C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe

"C:\Users\Admin\AppData\Local\Temp\f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 43df14ae-e3e9-46de-8348-b5c957e8fef8.uuid.realupdate.ru udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server4.realupdate.ru tcp
US 74.125.250.129:19302 stun2.l.google.com udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server4.realupdate.ru tcp
BG 185.82.216.96:443 server4.realupdate.ru tcp
US 52.111.227.14:443 tcp
BG 185.82.216.96:443 server4.realupdate.ru tcp

Files

memory/1932-1-0x0000000002A40000-0x0000000002E3C000-memory.dmp

memory/1932-2-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/1932-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2952-4-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

memory/2952-5-0x0000000002630000-0x0000000002666000-memory.dmp

memory/2952-6-0x0000000004FE0000-0x000000000560A000-memory.dmp

memory/2952-7-0x0000000074E30000-0x00000000755E1000-memory.dmp

memory/2952-8-0x0000000004C20000-0x0000000004C42000-memory.dmp

memory/2952-9-0x0000000004DC0000-0x0000000004E26000-memory.dmp

memory/2952-10-0x0000000004EA0000-0x0000000004F06000-memory.dmp

memory/2952-11-0x0000000074E30000-0x00000000755E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r4qqbzjr.0cf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2952-17-0x0000000005610000-0x0000000005967000-memory.dmp

memory/2952-21-0x0000000005AE0000-0x0000000005AFE000-memory.dmp

memory/2952-22-0x0000000005B20000-0x0000000005B6C000-memory.dmp

memory/2952-23-0x00000000060A0000-0x00000000060E6000-memory.dmp

memory/2952-25-0x00000000710A0000-0x00000000710EC000-memory.dmp

memory/2952-24-0x0000000006F10000-0x0000000006F44000-memory.dmp

memory/2952-36-0x0000000074E30000-0x00000000755E1000-memory.dmp

memory/2952-37-0x0000000006F70000-0x0000000007014000-memory.dmp

memory/2952-35-0x0000000006F50000-0x0000000006F6E000-memory.dmp

memory/2952-26-0x0000000071310000-0x0000000071667000-memory.dmp

memory/2952-40-0x0000000074E30000-0x00000000755E1000-memory.dmp

memory/2952-39-0x00000000070A0000-0x00000000070BA000-memory.dmp

memory/2952-38-0x00000000076E0000-0x0000000007D5A000-memory.dmp

memory/2952-41-0x00000000070E0000-0x00000000070EA000-memory.dmp

memory/2952-42-0x00000000071F0000-0x0000000007286000-memory.dmp

memory/2952-43-0x0000000007100000-0x0000000007111000-memory.dmp

memory/2952-44-0x0000000007150000-0x000000000715E000-memory.dmp

memory/2952-45-0x0000000007160000-0x0000000007175000-memory.dmp

memory/2952-46-0x00000000071B0000-0x00000000071CA000-memory.dmp

memory/2952-47-0x00000000071D0000-0x00000000071D8000-memory.dmp

memory/2952-50-0x0000000074E30000-0x00000000755E1000-memory.dmp

memory/1932-52-0x0000000002A40000-0x0000000002E3C000-memory.dmp

memory/4400-54-0x0000000002A20000-0x0000000002E20000-memory.dmp

memory/1932-53-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/4584-63-0x0000000005C90000-0x0000000005FE7000-memory.dmp

memory/4584-64-0x00000000710A0000-0x00000000710EC000-memory.dmp

memory/4584-65-0x00000000712B0000-0x0000000071607000-memory.dmp

memory/4584-74-0x00000000073E0000-0x0000000007484000-memory.dmp

memory/4584-75-0x0000000007730000-0x0000000007741000-memory.dmp

memory/1932-76-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4584-77-0x0000000007780000-0x0000000007795000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/1124-89-0x0000000005D10000-0x0000000006067000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7fa2a890a121a9208d8f1b4703e3b5ff
SHA1 bab503f0ad71460583d63749ddd32ead153af63e
SHA256 9e0c41eedc049beaca6f636a8c83154f15550727280d53472d67ecead7dfdc56
SHA512 a9ad7dde8a91a23a1b7f1be04a55683ee89f1622bfb95ecb24d2c57c8485ee7df1719a8621b86df58acb31c7dd4ac5da4a6433f0ce12621fdb33920a9fb7c9fc

memory/1124-91-0x00000000710A0000-0x00000000710EC000-memory.dmp

memory/1124-92-0x00000000712F0000-0x0000000071647000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 62584b6fc1e6fcd4f44a6907ebd4c854
SHA1 ed62e9c401b88a39dad201888cff1f188b0ed557
SHA256 4fca8da1d2f5ad84e725a07fe3442789f711b569bf4fb296e9cbd646af87ad1a
SHA512 16c28241827f64d3351153394edc2ef846e28224faeb78f7d0bcecb49c5eccadbeac045a7f90b0981df18cf35e80601d778f671ec29aa9a800d28c90096da4e7

memory/4936-111-0x00000000710A0000-0x00000000710EC000-memory.dmp

memory/4936-112-0x00000000712F0000-0x0000000071647000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7ede9b984254a01a882350f64c82c39d
SHA1 328c389f36ef80ff9e87f77dd4616e836ebbbe80
SHA256 f0661be0f91c38c24f3cc5d1d2ff73c4f19260eecee128afc0c0007811bf21c4
SHA512 5af9b11e6b5af18cbaae3b37578166bf26745efcb9f27a56027504962be762bf4502f4c43bb80868d872f0505823061c914e85bcaed29646b12baa55d8932e0d

memory/4400-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8d3f93968339855f0bb6199d3451e1a8
SHA1 5f37d0a4676fe5980e666cbdb23fd61c5b6d400e
SHA256 7eb25b367efadd61583c4d8464859cab26be74c86afe034b9146df98b8c2072d
SHA512 e6039f4d1054b4113d3231ec70a9dfbf7ad79ea4830b81fad5053923355b7a9354bc69fcb08bc194d399dd8969fa59c0ce58eaccf76a8313fb2fe2a6479c3af3

memory/1752-139-0x00000000712F0000-0x0000000071647000-memory.dmp

memory/1752-138-0x00000000710A0000-0x00000000710EC000-memory.dmp

memory/1816-157-0x0000000005B30000-0x0000000005E87000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7630f0c3d1f5dd1c9bf4c9dd06038705
SHA1 b2bbf7cfa63064bd37670d3343d0ab8e4e4f9ab4
SHA256 a21d84732becedaf506850a8cac9ce0e3365951a32eaa83d8920d7b046be350f
SHA512 dd36081bee0cb36925632ef9de242cdd0ab40c570823e8ee866deaa54b63f766937512556ffa624ed23aff302d78783ca932b60b169be1cebca649dc6c522687

memory/1816-159-0x00000000060D0000-0x000000000611C000-memory.dmp

memory/1816-160-0x0000000070FC0000-0x000000007100C000-memory.dmp

memory/1816-161-0x00000000711D0000-0x0000000071527000-memory.dmp

memory/1816-170-0x0000000007300000-0x00000000073A4000-memory.dmp

memory/1816-171-0x0000000007650000-0x0000000007661000-memory.dmp

memory/1816-172-0x00000000059F0000-0x0000000005A05000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 32770cc67af6c026cb2f2984f71ba9c7
SHA1 6942cfa7e987aa7cc76c94befe0566bd94df669e
SHA256 d9984a502b9fc137d17a3f644fd84c58fdf68e41f53edd628377d4ecef8977d3
SHA512 7f719dd6dbb21d720fc86b52503333f158e2c2b37de91ecb855a7128348a847804e445366bfc0baad972d1f206dd99b163d582cc9a140802d11b2de073ca4c87

memory/2176-184-0x00000000711D0000-0x0000000071527000-memory.dmp

memory/2176-183-0x0000000070FC0000-0x000000007100C000-memory.dmp

memory/2868-194-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4580-204-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3828-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4580-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2868-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3828-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2868-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2868-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3828-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2868-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2868-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2868-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2868-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2868-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2868-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2868-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2868-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2868-242-0x0000000000400000-0x0000000000D1C000-memory.dmp