Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-h1g2tafc39
Target f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4
SHA256 f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4

Threat Level: Known bad

The file f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 07:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 07:12

Reported

2024-05-17 07:14

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\system32\cmd.exe
PID 3760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 3376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2664 wrote to memory of 3376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3760 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\rss\csrss.exe
PID 3760 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\rss\csrss.exe
PID 3760 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\rss\csrss.exe
PID 1736 wrote to memory of 1264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 1264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 1264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 992 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 992 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 992 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 516 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 516 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 516 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 3040 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1736 wrote to memory of 3040 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1244 wrote to memory of 1264 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 1264 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 1264 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1264 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1264 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe

"C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe

"C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.107:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
NL 23.62.61.107:443 www.bing.com tcp
US 8.8.8.8:53 107.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 12d49df8-f677-4633-b8d2-452f9666661d.uuid.localstats.org udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server9.localstats.org udp
US 74.125.250.129:19302 stun.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server9.localstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.111:443 server9.localstats.org tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.111:443 server9.localstats.org tcp

Files

memory/2956-1-0x00000000048C0000-0x0000000004CBF000-memory.dmp

memory/2956-2-0x0000000004CC0000-0x00000000055AB000-memory.dmp

memory/2956-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4576-4-0x000000007428E000-0x000000007428F000-memory.dmp

memory/4576-5-0x00000000053B0000-0x00000000053E6000-memory.dmp

memory/4576-6-0x0000000074280000-0x0000000074A30000-memory.dmp

memory/4576-7-0x0000000005B80000-0x00000000061A8000-memory.dmp

memory/4576-8-0x0000000074280000-0x0000000074A30000-memory.dmp

memory/4576-9-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iuwi0xo4.khi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4576-11-0x0000000006310000-0x0000000006376000-memory.dmp

memory/4576-10-0x00000000062A0000-0x0000000006306000-memory.dmp

memory/4576-21-0x0000000006380000-0x00000000066D4000-memory.dmp

memory/4576-22-0x0000000006970000-0x000000000698E000-memory.dmp

memory/4576-23-0x0000000006B80000-0x0000000006BCC000-memory.dmp

memory/4576-24-0x0000000007AF0000-0x0000000007B34000-memory.dmp

memory/4576-25-0x0000000007CA0000-0x0000000007D16000-memory.dmp

memory/4576-27-0x0000000007D40000-0x0000000007D5A000-memory.dmp

memory/4576-26-0x00000000083A0000-0x0000000008A1A000-memory.dmp

memory/4576-42-0x0000000007F60000-0x0000000008003000-memory.dmp

memory/4576-43-0x0000000074280000-0x0000000074A30000-memory.dmp

memory/4576-44-0x0000000008050000-0x000000000805A000-memory.dmp

memory/4576-45-0x0000000008160000-0x00000000081F6000-memory.dmp

memory/4576-41-0x0000000007F40000-0x0000000007F5E000-memory.dmp

memory/4576-46-0x0000000008060000-0x0000000008071000-memory.dmp

memory/4576-31-0x00000000702A0000-0x00000000705F4000-memory.dmp

memory/4576-30-0x0000000074280000-0x0000000074A30000-memory.dmp

memory/4576-29-0x0000000070120000-0x000000007016C000-memory.dmp

memory/4576-28-0x0000000007F00000-0x0000000007F32000-memory.dmp

memory/4576-47-0x00000000080A0000-0x00000000080AE000-memory.dmp

memory/4576-48-0x00000000080C0000-0x00000000080D4000-memory.dmp

memory/4576-50-0x0000000008100000-0x0000000008108000-memory.dmp

memory/4576-49-0x0000000008110000-0x000000000812A000-memory.dmp

memory/4576-53-0x0000000074280000-0x0000000074A30000-memory.dmp

memory/2956-55-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3300-62-0x0000000005910000-0x0000000005C64000-memory.dmp

memory/2956-66-0x00000000048C0000-0x0000000004CBF000-memory.dmp

memory/3300-68-0x00000000708A0000-0x0000000070BF4000-memory.dmp

memory/3300-67-0x0000000070120000-0x000000007016C000-memory.dmp

memory/3300-78-0x0000000007190000-0x0000000007233000-memory.dmp

memory/3300-79-0x00000000074B0000-0x00000000074C1000-memory.dmp

memory/3300-80-0x00000000074E0000-0x00000000074F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4144-93-0x00000000056F0000-0x0000000005A44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2f074a6040df20a1d5f7916581e3549d
SHA1 9e4b28c01a856af200409b6c8729c1896cce5aaf
SHA256 072e5d5f0f190086f2e15931ad9c01fd1b6ce26e6d44d5da6dcdf0ef505d8aec
SHA512 d3b42e4b3a2c8a2a7f4f09dbaaf0cfbe2a5832514f67c1336789bdba23fe9836663c92d89f72540a37ceadd47b7ecd173e5d201b0dc6c3afc3d4919666cb1a6d

memory/4144-95-0x0000000070120000-0x000000007016C000-memory.dmp

memory/4144-96-0x00000000702E0000-0x0000000070634000-memory.dmp

memory/2956-106-0x0000000004CC0000-0x00000000055AB000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 41d8231a7457b1e73ba136d37f9261dd
SHA1 ee5d50ecd8f6b61da901c12c18d4005f5a562801
SHA256 53bf34c686ffe5475072ef3e60e93b784dc9aa226e2d56e0ea80c776427e1367
SHA512 a2071a83aef21c6eea4f5d15c080cff483b7d7de30250ab9359040e0b564faf542cd2bbcf5a9b88f946c7133bcb329460115fccd4e6320fb3449f9a5d3f8c157

memory/2680-119-0x00000000708A0000-0x0000000070BF4000-memory.dmp

memory/2680-118-0x0000000070120000-0x000000007016C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b4081fad3c5b5cf75918c1442d454a86
SHA1 d78dae667b58cf723dcb69c2870e4d5f684a96fe
SHA256 f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4
SHA512 c218bc6e9d4fca4070fdf0263cf7942c77d5711c9ee58a0e4b362559ec6d7bda6492d64d9c495e5781d3469d3ba3e2340628ed3da4237a055083295b11795a0f

memory/2956-137-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3760-136-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1264-147-0x00000000061D0000-0x0000000006524000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 aa516e1fd5cfcd86581a0a2e2ab1a7c5
SHA1 fb5d1c54711ead3bc5c950a22717b467e4081fe7
SHA256 988b4ed5eb7ee105095214f7f259a29a15bc0e867458dcfe29c98844ec9e66f9
SHA512 e98d9927e6bf4fc2744c0c6832119c124a4574a85fb9bda409e42e4bd3b4171f394552432e7e3f231a84ae8ed5eaeaad3fddf8b7260be06d16e5daef802596c7

memory/1264-150-0x00000000702C0000-0x0000000070614000-memory.dmp

memory/1264-149-0x0000000070120000-0x000000007016C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 031cd9f99f87238980ae08300ceb4158
SHA1 2b5badc3d9a9b8eb1de5defae086b4d9692e969d
SHA256 ef006ac642673ac151a9428cd65a753c48f4d2ec60e63415dd210fb3d1eb2688
SHA512 3891176e3faefa542b561f4bc9bfce213545c7f5adfc3b9e4043b355d3796dd6f80a81b89a22e833a60d3dbed57fb2d90b13a7bd7e050779f4bb9306c0881424

memory/992-170-0x0000000005CE0000-0x0000000006034000-memory.dmp

memory/992-172-0x0000000006410000-0x000000000645C000-memory.dmp

memory/992-184-0x0000000007380000-0x0000000007423000-memory.dmp

memory/992-174-0x00000000701C0000-0x0000000070514000-memory.dmp

memory/992-173-0x0000000070040000-0x000000007008C000-memory.dmp

memory/992-185-0x0000000007690000-0x00000000076A1000-memory.dmp

memory/992-186-0x0000000005BC0000-0x0000000005BD4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9ffe720f37948ff616571ee9a2f5c202
SHA1 66d92c80d9ec73971402f6ee516d5ab64737f58f
SHA256 6e35b5791ad55e73eb8d21bac9238a9dd2e0236091371e68f0524116237b38f8
SHA512 a819168d0ef0a1c9cf3c0c06b86c3068468ec6d2ec8d427a1c781d420d5ec65dbd4fa110c32d025aa19a3b33f5a822bbc3c0a4178b25f3bc972df7f90df37dac

memory/516-197-0x0000000006300000-0x0000000006654000-memory.dmp

memory/516-201-0x00000000707D0000-0x0000000070B24000-memory.dmp

memory/516-200-0x0000000070040000-0x000000007008C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1736-218-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1244-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1244-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4224-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1736-230-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4224-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1736-233-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1736-237-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4224-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1736-242-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1736-246-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1736-250-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1736-253-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1736-257-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1736-262-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1736-266-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1736-270-0x0000000000400000-0x0000000002B0C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 07:12

Reported

2024-05-17 07:14

Platform

win11-20240426-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\system32\cmd.exe
PID 4148 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\system32\cmd.exe
PID 3016 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3016 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4148 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\rss\csrss.exe
PID 4148 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\rss\csrss.exe
PID 4148 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe C:\Windows\rss\csrss.exe
PID 4244 wrote to memory of 1332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4244 wrote to memory of 1332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4244 wrote to memory of 1332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4244 wrote to memory of 920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4244 wrote to memory of 920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4244 wrote to memory of 920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4244 wrote to memory of 788 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4244 wrote to memory of 788 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4244 wrote to memory of 788 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4244 wrote to memory of 4604 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4244 wrote to memory of 4604 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1324 wrote to memory of 228 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1324 wrote to memory of 228 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1324 wrote to memory of 228 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 228 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 228 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe

"C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe

"C:\Users\Admin\AppData\Local\Temp\f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 223de492-c273-4cae-bab9-5d6580377dd7.uuid.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.sipgate.net udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server8.localstats.org tcp
US 15.197.250.192:3478 stun.sipgate.net udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server8.localstats.org tcp
BG 185.82.216.111:443 server8.localstats.org tcp

Files

memory/4468-1-0x0000000004940000-0x0000000004D3F000-memory.dmp

memory/4468-2-0x0000000004D40000-0x000000000562B000-memory.dmp

memory/4468-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4052-4-0x00000000744BE000-0x00000000744BF000-memory.dmp

memory/4052-5-0x0000000005030000-0x0000000005066000-memory.dmp

memory/4052-6-0x0000000005730000-0x0000000005D5A000-memory.dmp

memory/4052-7-0x0000000005D60000-0x0000000005D82000-memory.dmp

memory/4052-9-0x0000000005F00000-0x0000000005F66000-memory.dmp

memory/4052-8-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/4052-11-0x0000000005F70000-0x0000000005FD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlelgaat.mzw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4052-20-0x0000000005FE0000-0x0000000006337000-memory.dmp

memory/4052-21-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/4052-22-0x00000000064D0000-0x00000000064EE000-memory.dmp

memory/4052-23-0x0000000006570000-0x00000000065BC000-memory.dmp

memory/4468-10-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4052-24-0x0000000006A50000-0x0000000006A96000-memory.dmp

memory/4052-28-0x0000000070930000-0x0000000070C87000-memory.dmp

memory/4052-26-0x0000000070720000-0x000000007076C000-memory.dmp

memory/4052-27-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/4052-37-0x0000000007940000-0x000000000795E000-memory.dmp

memory/4052-25-0x00000000078E0000-0x0000000007914000-memory.dmp

memory/4052-38-0x0000000007960000-0x0000000007A04000-memory.dmp

memory/4052-39-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/4052-41-0x0000000007A90000-0x0000000007AAA000-memory.dmp

memory/4052-40-0x00000000080D0000-0x000000000874A000-memory.dmp

memory/4052-42-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

memory/4052-43-0x0000000007BE0000-0x0000000007C76000-memory.dmp

memory/4052-44-0x0000000007AF0000-0x0000000007B01000-memory.dmp

memory/4052-45-0x0000000007B40000-0x0000000007B4E000-memory.dmp

memory/4052-46-0x0000000007B50000-0x0000000007B65000-memory.dmp

memory/4052-47-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

memory/4052-48-0x0000000007B90000-0x0000000007B98000-memory.dmp

memory/4052-51-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/4468-53-0x0000000004940000-0x0000000004D3F000-memory.dmp

memory/4468-54-0x0000000004D40000-0x000000000562B000-memory.dmp

memory/4468-55-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4468-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4260-65-0x00000000062A0000-0x00000000065F7000-memory.dmp

memory/4260-67-0x0000000070720000-0x000000007076C000-memory.dmp

memory/4260-68-0x00000000708A0000-0x0000000070BF7000-memory.dmp

memory/4260-77-0x0000000007900000-0x00000000079A4000-memory.dmp

memory/4260-78-0x0000000007C30000-0x0000000007C41000-memory.dmp

memory/4260-79-0x0000000007C80000-0x0000000007C95000-memory.dmp

memory/4148-82-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e2a8ba04c942c61cc9932ee969050d49
SHA1 9a273ee39107ba52fca768bd910700ba9bb5ce55
SHA256 9f5be18a981a989493861772a444b93be43636fbdf99ab0b891c9dcebd9ca350
SHA512 fe601aa85703173bfa9169b9fa79471254d8e2ce8c736e23ba453451acb032334df98098c9199565f9853cdbfe2c24e7b05e1f76ba23410a8a0994a34441b2cf

memory/3440-94-0x00000000708A0000-0x0000000070BF7000-memory.dmp

memory/3440-93-0x0000000070720000-0x000000007076C000-memory.dmp

memory/2840-112-0x00000000060E0000-0x0000000006437000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4f934d0dff77f06a2342d885e7fe39e5
SHA1 2564f0d4fdbb84f3d24b86343d0ecff8b59c9d38
SHA256 382d219f84ad0f7fbf62f20de633e88dceb88d8e894405531418b6b2ff46ae10
SHA512 262ca7e996e43001e4a8e22d08dc9730b651f9d70346ac0834227cd9d5fe49617958d2bd6e09dd05441a2567a7cd915c2b72c62093e4376d66f636e86d80b92b

memory/2840-115-0x00000000708C0000-0x0000000070C17000-memory.dmp

memory/2840-114-0x0000000070720000-0x000000007076C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b4081fad3c5b5cf75918c1442d454a86
SHA1 d78dae667b58cf723dcb69c2870e4d5f684a96fe
SHA256 f43b71f2300cc8b558518fa0f5b3530ceb43a02e2d45bd91bde38441021215a4
SHA512 c218bc6e9d4fca4070fdf0263cf7942c77d5711c9ee58a0e4b362559ec6d7bda6492d64d9c495e5781d3469d3ba3e2340628ed3da4237a055083295b11795a0f

memory/4148-128-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1332-141-0x0000000006320000-0x0000000006677000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bd48be8fc31d44994dad41b003c1553c
SHA1 35532da68bc623407a0fd5af9b1793c05772722a
SHA256 18d2db0ff1633a44c85b2ae3a8fbe3c05d5e0b7286a6664935b4c57a21a24afc
SHA512 4229694017a8f3d7002fdabe7f5fd498f3a17d714996380e8f0e656a7d15c3ec14c142b25a58923bdd76192ae6d27f709afd187c3d7fc001e91af866b93a1c09

memory/1332-143-0x0000000070720000-0x000000007076C000-memory.dmp

memory/1332-144-0x0000000071060000-0x00000000713B7000-memory.dmp

memory/920-162-0x0000000006130000-0x0000000006487000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f8e0419b91420d00234ac82aefe36228
SHA1 b6c83df95da068dfd66d29962468fb848c054a4a
SHA256 5d939b811ab8cd738fd3468fda6a7d065c1df5af9ca519b6f359f49d3f1a3707
SHA512 9afccf8d8caa5151cd467c68310c2fece6caa083bedcd60c5c75c387be2967f961930f51f96df400425d4dcb4cb5a54e4d6c2d49e9a55363e67caf98d2444c81

memory/920-164-0x0000000006C40000-0x0000000006C8C000-memory.dmp

memory/920-165-0x0000000070640000-0x000000007068C000-memory.dmp

memory/920-166-0x0000000070890000-0x0000000070BE7000-memory.dmp

memory/920-177-0x00000000078F0000-0x0000000007994000-memory.dmp

memory/4244-176-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/920-178-0x0000000007C70000-0x0000000007C81000-memory.dmp

memory/920-179-0x00000000064B0000-0x00000000064C5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0093f848124c5d4fb726c93a632b862f
SHA1 9c27184ed70b9279bcf6af4a831462fef56a5c8e
SHA256 b320aa3d61a109adc911e1e39b4248c87e4e459b7e93ee7b9784ac29a893a427
SHA512 d959d5f0d99ca6b9f22a3d18eb54e7439d7e7cd5ba2e83bf1e4c25033ac1f1faa6ffcc33255fcafe5d666897add988f06f0b348e951f9da2351afb3b07a5cd85

memory/788-190-0x0000000070640000-0x000000007068C000-memory.dmp

memory/788-191-0x0000000070890000-0x0000000070BE7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4244-207-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1324-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1324-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4244-217-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3476-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4244-220-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4244-223-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3476-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4244-226-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4244-229-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4244-232-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3476-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4244-235-0x0000000000400000-0x0000000002B0C000-memory.dmp