Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-lws53ace4x
Target ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7
SHA256 ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7

Threat Level: Known bad

The file ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 09:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 09:53

Reported

2024-05-17 09:55

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4696 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4696 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4696 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\system32\cmd.exe
PID 2084 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\system32\cmd.exe
PID 4580 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4580 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2084 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\rss\csrss.exe
PID 2084 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\rss\csrss.exe
PID 2084 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\rss\csrss.exe
PID 2840 wrote to memory of 4588 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2840 wrote to memory of 4588 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2840 wrote to memory of 4588 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2840 wrote to memory of 1496 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2840 wrote to memory of 1496 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2840 wrote to memory of 1496 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2840 wrote to memory of 4028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2840 wrote to memory of 4028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2840 wrote to memory of 4028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2840 wrote to memory of 1952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2840 wrote to memory of 1952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4876 wrote to memory of 4844 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4844 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4844 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4844 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4844 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe

"C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe

"C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 979ec14a-b8a7-4f47-8685-b2a279893b21.uuid.realupdate.ru udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server4.realupdate.ru udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.96:443 server4.realupdate.ru tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server4.realupdate.ru tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
BG 185.82.216.96:443 server4.realupdate.ru tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.96:443 server4.realupdate.ru tcp
US 8.8.8.8:53 udp

Files

memory/4696-1-0x0000000004760000-0x0000000004B62000-memory.dmp

memory/4696-2-0x0000000004B70000-0x000000000545B000-memory.dmp

memory/4696-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1952-4-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

memory/1952-5-0x0000000002F00000-0x0000000002F36000-memory.dmp

memory/1952-6-0x0000000005860000-0x0000000005E88000-memory.dmp

memory/1952-7-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/1952-8-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/1952-9-0x0000000005630000-0x0000000005652000-memory.dmp

memory/1952-11-0x0000000005E90000-0x0000000005EF6000-memory.dmp

memory/1952-10-0x00000000057D0000-0x0000000005836000-memory.dmp

memory/1952-14-0x0000000005F00000-0x0000000006254000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0vmjly3.lrw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1952-22-0x0000000006510000-0x000000000652E000-memory.dmp

memory/1952-23-0x0000000006530000-0x000000000657C000-memory.dmp

memory/1952-24-0x0000000006900000-0x0000000006944000-memory.dmp

memory/1952-25-0x0000000007820000-0x0000000007896000-memory.dmp

memory/1952-26-0x0000000007F20000-0x000000000859A000-memory.dmp

memory/1952-27-0x00000000078C0000-0x00000000078DA000-memory.dmp

memory/1952-29-0x0000000070D60000-0x0000000070DAC000-memory.dmp

memory/1952-28-0x0000000007A70000-0x0000000007AA2000-memory.dmp

memory/1952-33-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/1952-30-0x00000000714E0000-0x0000000071834000-memory.dmp

memory/1952-42-0x0000000007AD0000-0x0000000007B73000-memory.dmp

memory/1952-41-0x0000000007AB0000-0x0000000007ACE000-memory.dmp

memory/1952-43-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/1952-44-0x0000000007BC0000-0x0000000007BCA000-memory.dmp

memory/1952-45-0x0000000007C80000-0x0000000007D16000-memory.dmp

memory/1952-46-0x0000000007BE0000-0x0000000007BF1000-memory.dmp

memory/1952-47-0x0000000007C20000-0x0000000007C2E000-memory.dmp

memory/1952-48-0x0000000007C30000-0x0000000007C44000-memory.dmp

memory/1952-49-0x0000000007D20000-0x0000000007D3A000-memory.dmp

memory/1952-50-0x0000000007C60000-0x0000000007C68000-memory.dmp

memory/1952-53-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/4696-55-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4696-56-0x0000000004760000-0x0000000004B62000-memory.dmp

memory/4696-57-0x0000000004B70000-0x000000000545B000-memory.dmp

memory/4216-67-0x0000000070D60000-0x0000000070DAC000-memory.dmp

memory/4216-68-0x00000000714E0000-0x0000000071834000-memory.dmp

memory/4216-78-0x0000000006F60000-0x0000000007003000-memory.dmp

memory/4216-79-0x0000000007240000-0x0000000007251000-memory.dmp

memory/4216-80-0x0000000007290000-0x00000000072A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8e97ba818e88828bd1082c59fc97e003
SHA1 1236a1cff0923576076a046e32b52cdf58cb1ca5
SHA256 89a11072d46e851e39146c0d33bf2f9aec4dc2cc16e0000bcc95671ea1329074
SHA512 6bb392fa6dad89c1fc66e6474d0d4fc6b287e4fb15f11b1c269a8b13744d4c256a7b763d07143f4890c5d1137c13b0a29618c4aaa1770d54cddfdf74eab6933d

memory/1824-94-0x0000000070D60000-0x0000000070DAC000-memory.dmp

memory/1824-95-0x00000000714E0000-0x0000000071834000-memory.dmp

memory/4696-107-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2084-106-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3a40c7e9725ccf398b2d86b5ecf1404e
SHA1 b4d411b068fa22c3ec9f7b4384bda3730dec2508
SHA256 bb2011fef88b67e621c6b646db8b9af574e75e0d41511f32d93cd029772aa2d5
SHA512 6a242ae61c9ddbc3da690d34e4538b9d65f3f38e86e816ad38d2661afc0c75d8f713e00584bf32bf18fcd362a9fc12e3a5ab304a2a643262c02d6c4f214b0ef3

memory/1056-119-0x0000000070D60000-0x0000000070DAC000-memory.dmp

memory/1056-120-0x00000000714E0000-0x0000000071834000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 41741bd88e1d102f077b036648b2c687
SHA1 8a96ce47debb903d8b2b134188d5798bdee6649a
SHA256 ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7
SHA512 dd238fcc5ae0e43b657727f722937b4a7dde60ef22c37179b803af72b3e7e910688b0dd92f55edb6eed1ccc274937e5ec05fce2868300437d65ad3dd2953b36e

memory/2084-137-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-144-0x0000000006290000-0x00000000065E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 921e8d45e8a501aab452aded1be4dafe
SHA1 860ef84392297259b32c12f9bf5db9786f4638e3
SHA256 402384cc083f341bada72ceefab23589327ea568dfa0e4ea86a5f095de83cf3f
SHA512 c8067bbfd0f9327a663ed42b19ddb64843f4e00e50cbf0cb7ac7f168a9da0801dfd7c66e8965c14f1de911e7b1f384cde081a5a21c2a08e8ac78a83c5f1ec01e

memory/4588-149-0x0000000070D60000-0x0000000070DAC000-memory.dmp

memory/4588-150-0x0000000071500000-0x0000000071854000-memory.dmp

memory/2840-161-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1496-171-0x0000000006190000-0x00000000064E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0379c0938d0f0405eaa0fac419a789a6
SHA1 ce94bbd466fb6243652871586645303879028d3a
SHA256 18d89f41e8ef4550e9bae3979ccb4d7065a400d6d25bbd2a9c671383611574c5
SHA512 182baa41b37ef2df8f5ebe99f382615f01f772ab7ac16e276456d381900500cd8a3725dd1ac55c6e5df4e9a1c9481a10cf053f0cce0412cb71358aa80684aec1

memory/1496-173-0x0000000006990000-0x00000000069DC000-memory.dmp

memory/1496-174-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/1496-185-0x0000000007AA0000-0x0000000007B43000-memory.dmp

memory/1496-175-0x0000000070E50000-0x00000000711A4000-memory.dmp

memory/1496-186-0x0000000007DD0000-0x0000000007DE1000-memory.dmp

memory/1496-187-0x0000000006610000-0x0000000006624000-memory.dmp

memory/4028-198-0x0000000005870000-0x0000000005BC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 efba81222b568f4198cdec79e77905e8
SHA1 dd7bacb768ca4ef433748def9f645eb5c161d864
SHA256 0bc947917d6ffabf264fa2f81144961842db8f2f30e09e74fdbf600d51fb577d
SHA512 f957931bfac64cb20c5fbc31080176b1d0db9ac60db99fe6c2efc67c51cdcb6b427efc414fbf62f5588f21b21f6bd31ad7de99af3f1154edacc89992114f500c

memory/4028-200-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/4028-201-0x0000000070E00000-0x0000000071154000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2840-219-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4876-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3236-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4876-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2840-230-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3236-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2840-234-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2840-238-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3236-240-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2840-242-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2840-246-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2840-250-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2840-254-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2840-258-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2840-262-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2840-266-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 09:53

Reported

2024-05-17 09:55

Platform

win11-20240426-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\system32\cmd.exe
PID 4864 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4864 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1720 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\rss\csrss.exe
PID 1720 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\rss\csrss.exe
PID 1720 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe C:\Windows\rss\csrss.exe
PID 1772 wrote to memory of 1308 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 1308 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 1308 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 4156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 4156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 4156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 2524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 2524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 2524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 4824 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1772 wrote to memory of 4824 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3484 wrote to memory of 2412 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 2412 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 2412 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2412 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2412 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe

"C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe

"C:\Users\Admin\AppData\Local\Temp\ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5ecfa1ca-12c9-4267-8697-2baaaf93a090.uuid.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server14.realupdate.ru udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.96:443 server14.realupdate.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server14.realupdate.ru tcp
NL 52.111.243.31:443 tcp
BG 185.82.216.96:443 server14.realupdate.ru tcp

Files

memory/2368-1-0x0000000004940000-0x0000000004D43000-memory.dmp

memory/2368-2-0x0000000004D50000-0x000000000563B000-memory.dmp

memory/2368-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3936-4-0x00000000740DE000-0x00000000740DF000-memory.dmp

memory/3936-5-0x0000000002A90000-0x0000000002AC6000-memory.dmp

memory/3936-6-0x0000000005290000-0x00000000058BA000-memory.dmp

memory/3936-7-0x00000000740D0000-0x0000000074881000-memory.dmp

memory/3936-8-0x00000000051A0000-0x00000000051C2000-memory.dmp

memory/3936-9-0x0000000005970000-0x00000000059D6000-memory.dmp

memory/3936-16-0x00000000740D0000-0x0000000074881000-memory.dmp

memory/3936-15-0x0000000005A50000-0x0000000005AB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3e21qs5t.hu4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3936-20-0x0000000005AF0000-0x0000000005E47000-memory.dmp

memory/3936-21-0x0000000005F40000-0x0000000005F5E000-memory.dmp

memory/3936-22-0x0000000005F70000-0x0000000005FBC000-memory.dmp

memory/3936-23-0x00000000064A0000-0x00000000064E6000-memory.dmp

memory/3936-24-0x0000000007350000-0x0000000007384000-memory.dmp

memory/3936-27-0x00000000740D0000-0x0000000074881000-memory.dmp

memory/3936-26-0x00000000704C0000-0x0000000070817000-memory.dmp

memory/3936-25-0x0000000070340000-0x000000007038C000-memory.dmp

memory/3936-38-0x00000000740D0000-0x0000000074881000-memory.dmp

memory/3936-37-0x00000000073D0000-0x0000000007474000-memory.dmp

memory/3936-36-0x00000000073B0000-0x00000000073CE000-memory.dmp

memory/3936-39-0x0000000007B40000-0x00000000081BA000-memory.dmp

memory/3936-40-0x00000000074F0000-0x000000000750A000-memory.dmp

memory/3936-41-0x0000000007530000-0x000000000753A000-memory.dmp

memory/3936-42-0x0000000007640000-0x00000000076D6000-memory.dmp

memory/3936-43-0x0000000007560000-0x0000000007571000-memory.dmp

memory/3936-44-0x00000000075A0000-0x00000000075AE000-memory.dmp

memory/3936-45-0x00000000075B0000-0x00000000075C5000-memory.dmp

memory/3936-46-0x0000000007600000-0x000000000761A000-memory.dmp

memory/3936-47-0x0000000007620000-0x0000000007628000-memory.dmp

memory/3936-50-0x00000000740D0000-0x0000000074881000-memory.dmp

memory/2368-51-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2368-53-0x0000000004940000-0x0000000004D43000-memory.dmp

memory/2820-62-0x0000000070340000-0x000000007038C000-memory.dmp

memory/2820-63-0x00000000704C0000-0x0000000070817000-memory.dmp

memory/2820-72-0x00000000078D0000-0x0000000007974000-memory.dmp

memory/2820-73-0x0000000007C10000-0x0000000007C21000-memory.dmp

memory/2368-74-0x0000000004D50000-0x000000000563B000-memory.dmp

memory/2820-75-0x0000000007C60000-0x0000000007C75000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2756-80-0x00000000061B0000-0x0000000006507000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7a5b64e64b941c0db3b72c1a7a2696bd
SHA1 470bea420b13ef84c1ebbaf36e270d397453e2b7
SHA256 73a614114d7a0b2092a3f21181eec6f8c8f474d923ccb64f58346267ab1d5e6f
SHA512 8bc277fc7246bbf268a652e2ae1288e6503a29cc8fe9b387824be6bda9b41a16cd37135401c820c4085cd3c13c0d93f60cf9602702fed35b73f20ecd5fbbf449

memory/2368-90-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2368-89-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2756-91-0x0000000070340000-0x000000007038C000-memory.dmp

memory/2756-92-0x0000000070590000-0x00000000708E7000-memory.dmp

memory/1196-110-0x00000000059C0000-0x0000000005D17000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 359b4302c4b580472ff4e3ab8a4c0add
SHA1 7f2977de0d27860bf2757de93545499b0dacf65e
SHA256 87838bb3d23e60ead9c0689cf1e7f2003f220175eea15784ca41c39273a16d5d
SHA512 6cc1b3cce19c8e6e60d2c10059a2c7b8aa79296953a712188669faedfa28206ff5c0c23e81de8e67541c58bd86eb81bb26f8fe84a0e30f9d005fd4018ec835a4

memory/1196-112-0x0000000070340000-0x000000007038C000-memory.dmp

memory/1196-113-0x00000000704E0000-0x0000000070837000-memory.dmp

memory/1720-122-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 41741bd88e1d102f077b036648b2c687
SHA1 8a96ce47debb903d8b2b134188d5798bdee6649a
SHA256 ebd137cdd1b593ce8189ed043d9c2be17254639f3c38f0ab3815aff391143ab7
SHA512 dd238fcc5ae0e43b657727f722937b4a7dde60ef22c37179b803af72b3e7e910688b0dd92f55edb6eed1ccc274937e5ec05fce2868300437d65ad3dd2953b36e

memory/1720-127-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1308-139-0x0000000006020000-0x0000000006377000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f86a6a465654d8157de493d7bc087c72
SHA1 e7d6fb949862374c78da58270eba109dbcb9b660
SHA256 6ee1b3e54044aa78f83736276dc3eb6dc998679396f82ca9da5f71ae925bbb69
SHA512 cbe6ddcfd50f4ccc7b2148f5fadac92cc30436a3af94ad3a2f11f571e195d6abad8ee463a77e2680d2b0dea6f0c786f96fac21dc230d79d2041f5e9215eb00dc

memory/1772-141-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1308-142-0x0000000070340000-0x000000007038C000-memory.dmp

memory/1308-143-0x0000000070570000-0x00000000708C7000-memory.dmp

memory/4156-161-0x0000000005910000-0x0000000005C67000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 025a647b2e380a81c79c60e7ded24c73
SHA1 3c3762a7829b18664f41b71162007c77070323a3
SHA256 0d01d653867ed2ac3e96912b34e773e9c5cc81d3db75c5f50c286380ce3fc959
SHA512 be7c2c441381938e22d6673773e4ad870aae53851ef0a2a11ebc9f1c5c505a68736872ce69c80283e009d16fca2f1eb27b1c15a8f433c4f4b814b1dbf8994240

memory/4156-163-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

memory/4156-164-0x0000000070260000-0x00000000702AC000-memory.dmp

memory/4156-165-0x0000000070470000-0x00000000707C7000-memory.dmp

memory/4156-174-0x0000000007100000-0x00000000071A4000-memory.dmp

memory/4156-175-0x0000000007430000-0x0000000007441000-memory.dmp

memory/4156-176-0x0000000005810000-0x0000000005825000-memory.dmp

memory/2524-186-0x0000000005690000-0x00000000059E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 48110ca9f834e2a1fb096fb962addd8e
SHA1 6dee5c742de3afef8b71d1331d4ce641109f413d
SHA256 7b83fd850cf461c5dfc10b862188395b9d751a67b8a05f18a644322f39635717
SHA512 c77a6de49e85dfa29fc42f5a347fa7f1b3e684b740bda7bc882a0915e77f8beb282575731d9507bbeb1fea364507e1d9ffaa9ba7721b40b2dab17e31c2afc020

memory/2524-188-0x0000000070260000-0x00000000702AC000-memory.dmp

memory/2524-189-0x00000000704B0000-0x0000000070807000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1772-205-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3484-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3484-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2776-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1772-216-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2776-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1772-218-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1772-222-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2776-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1772-225-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1772-228-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1772-230-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1772-234-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1772-237-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1772-240-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1772-242-0x0000000000400000-0x0000000002B0D000-memory.dmp