Malware Analysis Report

2024-12-08 02:20

Sample ID 240516-we1tpagc9w
Target 2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7
SHA256 2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7

Threat Level: Known bad

The file 2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 17:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 17:50

Reported

2024-05-16 17:53

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\system32\cmd.exe
PID 1916 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\system32\cmd.exe
PID 1852 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1852 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1916 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\rss\csrss.exe
PID 1916 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\rss\csrss.exe
PID 1916 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\rss\csrss.exe
PID 1012 wrote to memory of 1744 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 1744 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 1744 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 2984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 2984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 2984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 3444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 3444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 3444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1012 wrote to memory of 4048 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1012 wrote to memory of 4048 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3136 wrote to memory of 3360 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 3360 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 3360 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3360 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3360 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3360 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe

"C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe

"C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 185eb5ec-97e9-49f6-9555-9578bd470906.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server16.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun2.l.google.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server16.databaseupgrade.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server16.databaseupgrade.ru tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
BG 185.82.216.108:443 server16.databaseupgrade.ru tcp

Files

memory/2124-1-0x0000000002920000-0x0000000002D28000-memory.dmp

memory/2124-2-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/2124-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2424-4-0x00000000749FE000-0x00000000749FF000-memory.dmp

memory/2424-5-0x0000000005310000-0x0000000005346000-memory.dmp

memory/2424-6-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/2424-7-0x0000000005A30000-0x0000000006058000-memory.dmp

memory/2424-8-0x0000000006060000-0x0000000006082000-memory.dmp

memory/2424-9-0x0000000006100000-0x0000000006166000-memory.dmp

memory/2424-10-0x0000000006170000-0x00000000061D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nbw44jeq.kge.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2424-20-0x00000000062A0000-0x00000000065F4000-memory.dmp

memory/2424-21-0x00000000068E0000-0x00000000068FE000-memory.dmp

memory/2424-22-0x0000000006930000-0x000000000697C000-memory.dmp

memory/2424-23-0x0000000006D10000-0x0000000006D54000-memory.dmp

memory/2424-24-0x0000000007C90000-0x0000000007D06000-memory.dmp

memory/2424-25-0x0000000008390000-0x0000000008A0A000-memory.dmp

memory/2424-26-0x0000000007C30000-0x0000000007C4A000-memory.dmp

memory/2424-27-0x0000000007E70000-0x0000000007EA2000-memory.dmp

memory/2424-29-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/2424-28-0x0000000070890000-0x00000000708DC000-memory.dmp

memory/2424-30-0x0000000071010000-0x0000000071364000-memory.dmp

memory/2424-41-0x0000000007ED0000-0x0000000007F73000-memory.dmp

memory/2424-40-0x0000000007EB0000-0x0000000007ECE000-memory.dmp

memory/2424-42-0x0000000007FC0000-0x0000000007FCA000-memory.dmp

memory/2424-44-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/2424-43-0x00000000080D0000-0x0000000008166000-memory.dmp

memory/2424-45-0x0000000007FD0000-0x0000000007FE1000-memory.dmp

memory/2424-46-0x0000000008010000-0x000000000801E000-memory.dmp

memory/2424-47-0x0000000008030000-0x0000000008044000-memory.dmp

memory/2424-48-0x0000000008070000-0x000000000808A000-memory.dmp

memory/2424-49-0x0000000008060000-0x0000000008068000-memory.dmp

memory/2424-52-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/2124-54-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2124-55-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/1916-57-0x0000000002930000-0x0000000002D34000-memory.dmp

memory/1916-58-0x0000000002D40000-0x000000000362B000-memory.dmp

memory/2980-65-0x0000000005690000-0x00000000059E4000-memory.dmp

memory/2980-69-0x0000000005C10000-0x0000000005C5C000-memory.dmp

memory/2980-70-0x0000000070990000-0x00000000709DC000-memory.dmp

memory/2980-71-0x0000000070B20000-0x0000000070E74000-memory.dmp

memory/2980-81-0x0000000006DA0000-0x0000000006E43000-memory.dmp

memory/2980-82-0x00000000070D0000-0x00000000070E1000-memory.dmp

memory/2980-83-0x0000000007120000-0x0000000007134000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/2608-96-0x0000000005FB0000-0x0000000006304000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 327142dec65dc3f038b210377abc93de
SHA1 f81b550b17173714d8ab470d2c6d5662f56d3a29
SHA256 49f9e9e153b1046bbfd0b9acbaabbc98a6ccffda5a3cff77f372a3423944748c
SHA512 9aab32ae305867d5fe3e98d13786cae8d4cc585307791edff85a1c0586ce5fd5df633a3538ff770727c8592ae0d53af00acffdd1dd536078da9bfd874f671edc

memory/2608-98-0x0000000070990000-0x00000000709DC000-memory.dmp

memory/2608-99-0x0000000071130000-0x0000000071484000-memory.dmp

memory/5092-119-0x0000000005FA0000-0x00000000062F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9bf86fa281e31b5210ab8a92cc80eb08
SHA1 318ae40f3b627b33ea92801ac3f25807fd49ffda
SHA256 76ed414999cab45cd047c72676565ff7a4d12ce16d14c3f8d01ae95c4fcd620d
SHA512 ecbc4a269fb58337a27ff7f9e3fc7938c3e82ae82e5eee9913ee8bef555408d95840e48b78ae1f57acb131c330d0a7241cf4360671e62dffc41d0156ed54c526

memory/5092-121-0x0000000070990000-0x00000000709DC000-memory.dmp

memory/5092-122-0x0000000070B30000-0x0000000070E84000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 fdb5dc85a26d2aa74f762634d86b7b8f
SHA1 c9c40ab974982eff6a39e3fa13b6ffb0722a51d7
SHA256 2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7
SHA512 8fcd96eee55e9fc646f95e1eb74da88b729c0f75eabf9b83712de041aee1f11ee41bb74f013387cf9ba1b34790f90109a318ede811b7eb5b5b3cb50e79205d0a

memory/1916-138-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1744-144-0x0000000006220000-0x0000000006574000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8ec5a68f816e799e9fcc9534a0281028
SHA1 e8d1f6ffb6b092dfaa552cea4118ce3b2abc7657
SHA256 8b791cd44053045d85d4cb107a7c4eec9d46b2a6234d5eee1131e7738883063f
SHA512 214ebbc68c28c15e5d12eda64b3af125bbfb683df6c82d3687ed0bdca2bf9f38929b451dd0a85ff5464d24fea1a45b4a882cc15471e6f51d9a2db44284e6bd53

memory/1744-150-0x0000000006E30000-0x0000000006E7C000-memory.dmp

memory/1744-151-0x00000000708F0000-0x000000007093C000-memory.dmp

memory/1744-152-0x0000000071090000-0x00000000713E4000-memory.dmp

memory/1744-162-0x0000000007AF0000-0x0000000007B93000-memory.dmp

memory/1744-163-0x0000000007E20000-0x0000000007E31000-memory.dmp

memory/1744-164-0x00000000066C0000-0x00000000066D4000-memory.dmp

memory/2984-175-0x0000000005D20000-0x0000000006074000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ab87402cc50840e3de6f6a9babbafd81
SHA1 23902644124cbc915bfbd3de7e5b488d8c22ca65
SHA256 e7d9fb8118e518c7acf9a650828db6a7c372d1584e97bff660358d8ef6436152
SHA512 95a84f4e6a248d8cb6ac955c85366d4ea8177cc53cb2fc288882881dcb0c34d4d7f9b221fc247532209075d7a47ca752a332ab399fa5a26bd0a7884c97d4174f

memory/2984-177-0x00000000062D0000-0x000000000631C000-memory.dmp

memory/2984-178-0x0000000070810000-0x000000007085C000-memory.dmp

memory/2984-179-0x0000000070990000-0x0000000070CE4000-memory.dmp

memory/2984-189-0x0000000007440000-0x00000000074E3000-memory.dmp

memory/2984-190-0x00000000077B0000-0x00000000077C1000-memory.dmp

memory/2984-191-0x0000000005C50000-0x0000000005C64000-memory.dmp

memory/3444-193-0x0000000005C90000-0x0000000005FE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f7c4e90a1800f9b2c0eda9f36abe0de4
SHA1 39c83b2075c99fa1b02ad3ab8a72c8ce15b1a392
SHA256 68f43f565f63dda38550d85cd1fdbb39d065fccb0d67c060959d5be225abf604
SHA512 4a97a48c234c425fc611a91c42c11e3e341dcf08697fa3efdc3bdea534402f1505a84de5fc584e07cd227a6c8b1e7b8cc011c873d01746496442bd7f54008989

memory/3444-204-0x0000000070810000-0x000000007085C000-memory.dmp

memory/3444-205-0x0000000070FB0000-0x0000000071304000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1012-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1916-223-0x0000000002930000-0x0000000002D34000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3136-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/380-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3136-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1012-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1012-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/380-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1012-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/380-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1012-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1012-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1012-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1012-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1012-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1012-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1012-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1012-262-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1012-267-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 17:50

Reported

2024-05-16 17:53

Platform

win11-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\system32\cmd.exe
PID 1744 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\system32\cmd.exe
PID 3572 wrote to memory of 4840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3572 wrote to memory of 4840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1744 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\rss\csrss.exe
PID 1744 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\rss\csrss.exe
PID 1744 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe C:\Windows\rss\csrss.exe
PID 1572 wrote to memory of 2336 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 2336 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 2336 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 3716 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 3716 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 3716 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 4808 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1572 wrote to memory of 4808 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4348 wrote to memory of 3572 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 3572 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 3572 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3572 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3572 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe

"C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe

"C:\Users\Admin\AppData\Local\Temp\2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 9cf949b1-dd05-4e23-a72e-4d322ea641f1.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 server3.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 15.197.250.192:3478 stun.sipgate.net udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server3.databaseupgrade.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
BG 185.82.216.108:443 server3.databaseupgrade.ru tcp

Files

memory/3056-1-0x0000000002A20000-0x0000000002E22000-memory.dmp

memory/3056-2-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/3056-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1812-4-0x000000007461E000-0x000000007461F000-memory.dmp

memory/1812-5-0x0000000002E60000-0x0000000002E96000-memory.dmp

memory/1812-6-0x00000000055A0000-0x0000000005BCA000-memory.dmp

memory/1812-7-0x0000000074610000-0x0000000074DC1000-memory.dmp

memory/1812-8-0x0000000074610000-0x0000000074DC1000-memory.dmp

memory/1812-9-0x0000000005570000-0x0000000005592000-memory.dmp

memory/1812-10-0x0000000005D40000-0x0000000005DA6000-memory.dmp

memory/1812-11-0x0000000005DB0000-0x0000000005E16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mpujvyy3.5rp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1812-20-0x0000000005E20000-0x0000000006177000-memory.dmp

memory/1812-21-0x0000000006300000-0x000000000631E000-memory.dmp

memory/1812-22-0x0000000006360000-0x00000000063AC000-memory.dmp

memory/1812-23-0x0000000006890000-0x00000000068D6000-memory.dmp

memory/1812-26-0x0000000074610000-0x0000000074DC1000-memory.dmp

memory/1812-27-0x0000000070A00000-0x0000000070D57000-memory.dmp

memory/1812-37-0x00000000077A0000-0x0000000007844000-memory.dmp

memory/1812-36-0x0000000007780000-0x000000000779E000-memory.dmp

memory/1812-25-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/1812-24-0x0000000007720000-0x0000000007754000-memory.dmp

memory/1812-38-0x0000000007F10000-0x000000000858A000-memory.dmp

memory/1812-40-0x00000000078C0000-0x00000000078DA000-memory.dmp

memory/1812-39-0x0000000074610000-0x0000000074DC1000-memory.dmp

memory/1812-41-0x0000000007900000-0x000000000790A000-memory.dmp

memory/1812-42-0x0000000007A10000-0x0000000007AA6000-memory.dmp

memory/1812-43-0x0000000007930000-0x0000000007941000-memory.dmp

memory/1812-44-0x0000000007970000-0x000000000797E000-memory.dmp

memory/1812-45-0x0000000007980000-0x0000000007995000-memory.dmp

memory/1812-46-0x00000000079D0000-0x00000000079EA000-memory.dmp

memory/1812-47-0x00000000079F0000-0x00000000079F8000-memory.dmp

memory/1812-50-0x0000000074610000-0x0000000074DC1000-memory.dmp

memory/1744-52-0x0000000002A60000-0x0000000002E5F000-memory.dmp

memory/4392-61-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/4392-62-0x0000000070A00000-0x0000000070D57000-memory.dmp

memory/4392-71-0x0000000006D00000-0x0000000006DA4000-memory.dmp

memory/4392-72-0x0000000007030000-0x0000000007041000-memory.dmp

memory/3056-74-0x0000000002A20000-0x0000000002E22000-memory.dmp

memory/3056-73-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4392-75-0x0000000007080000-0x0000000007095000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4260-87-0x00000000061D0000-0x0000000006527000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 00d43f20939fecb68c520954781bec90
SHA1 d920ce51a665fed93cc9b89b7b28e52f00a865d8
SHA256 1589cc327cf9c04851a8b6923938b25823f93a407d99576f61609e0bec935cea
SHA512 48b29c58f5ff765c13d7ab0d00523d2e461ba9218c975aa54ca7635fe9132d94a0ea7f73bdd60d4498e6e41e6427fc65faeed798ed10d9a7d95d8a235eaf754a

memory/4260-89-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/4260-90-0x0000000070AD0000-0x0000000070E27000-memory.dmp

memory/3056-99-0x0000000002E30000-0x000000000371B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9a6b1adab799812428ec3957de5a9484
SHA1 db351355df73fb3f25f64a843c0940b9db701181
SHA256 68a57e6f2b3ad207fa040f2e362454a3bfad25513fcc784965140e766ee8a2f7
SHA512 c54195cd4c1f6f2bf0134e219b05eb9c6889858a7f3f56c6719203ec50f0d462a1940471af90642631c4206748f65e7c4ffd651975522d00530bf4850482fb62

memory/1160-110-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/1160-111-0x0000000070AD0000-0x0000000070E27000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 fdb5dc85a26d2aa74f762634d86b7b8f
SHA1 c9c40ab974982eff6a39e3fa13b6ffb0722a51d7
SHA256 2ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7
SHA512 8fcd96eee55e9fc646f95e1eb74da88b729c0f75eabf9b83712de041aee1f11ee41bb74f013387cf9ba1b34790f90109a318ede811b7eb5b5b3cb50e79205d0a

memory/1744-124-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5474f4950e417a5f563ee6941b22870c
SHA1 50150f50e659501d3fb59dec96df786e217d923b
SHA256 a41209779891665d166d5ccda78445b3c03214f9a021df0f3bf462b2d5910d29
SHA512 a8a6f81b257b8e6de8e6d49179361e8eb24757738ff84f84da3e6f0943de2795a079944f111d7bc5a4331d2bf54832c1c4c34ada848adcd55735c5d40f3710ca

memory/2336-136-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/2336-137-0x0000000070AD0000-0x0000000070E27000-memory.dmp

memory/3716-156-0x0000000006000000-0x0000000006357000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5d246aea874f224d536490cf7cfd496b
SHA1 35c69a90fa8006d96610d5237b738957d9a4af36
SHA256 cd4697a56e4345259a38008eb6e97de0770462fe8c006569a5f0c92a4b74f7b3
SHA512 c4966403c935e20bb9716021047fb5b2dfa2dc9c5315eff982524791715a2ed73b4b5a5de99ce43330bae0d72ee31f5518dbbab7303ae94cbba68bbde1c643dc

memory/3716-158-0x00000000066F0000-0x000000000673C000-memory.dmp

memory/3716-159-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/3716-160-0x00000000710E0000-0x0000000071437000-memory.dmp

memory/3716-169-0x0000000007730000-0x00000000077D4000-memory.dmp

memory/3716-170-0x0000000007AB0000-0x0000000007AC1000-memory.dmp

memory/3716-171-0x0000000005F70000-0x0000000005F85000-memory.dmp

memory/824-181-0x00000000058E0000-0x0000000005C37000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 eba168e89b4ed46da5ecdc05cbde8af6
SHA1 c4dcc11f9b2060bfc2a9edd8997f00247d1f09db
SHA256 6badb41295a898eaeeaba9ffd909bf60f8c972cf42f7dff38cece97ad4695b86
SHA512 8abd2b4b076c53c4b5874d4c7d4bab3077aeca77ce4f908b86f1ea98955c460dd9f1638cd694b9ad545f8a261b8cfd742592b7c2ef6c3cb53c09e6c2579e4e9e

memory/824-183-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/824-184-0x00000000709F0000-0x0000000070D47000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1572-199-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4348-204-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1572-207-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4348-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1572-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2444-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1572-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1572-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2444-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1572-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1572-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1572-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1572-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1572-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1572-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1572-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1572-241-0x0000000000400000-0x0000000000D1C000-memory.dmp