Malware Analysis Report

2024-11-13 19:40

Sample ID 240517-qnjc4saf62
Target 04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7
SHA256 04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7

Threat Level: Known bad

The file 04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Program crash

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 13:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 13:24

Reported

2024-05-17 13:26

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 920 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 920 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 920 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\system32\cmd.exe
PID 2936 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2936 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3952 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\rss\csrss.exe
PID 3952 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\rss\csrss.exe
PID 3952 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\rss\csrss.exe
PID 952 wrote to memory of 1004 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1004 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1004 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 924 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 952 wrote to memory of 924 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2924 wrote to memory of 4056 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 4056 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 4056 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4056 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4056 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe

"C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe

"C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3952 -ip 3952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 146.61.62.23.in-addr.arpa udp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 61b067c0-a3d6-446a-860b-667bb74870b6.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server2.databaseupgrade.ru udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.108:443 server2.databaseupgrade.ru tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server2.databaseupgrade.ru tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BG 185.82.216.108:443 server2.databaseupgrade.ru tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/920-1-0x0000000004870000-0x0000000004C71000-memory.dmp

memory/920-2-0x0000000004C80000-0x000000000556B000-memory.dmp

memory/920-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/412-4-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

memory/412-5-0x00000000028B0000-0x00000000028E6000-memory.dmp

memory/412-7-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/412-6-0x0000000005170000-0x0000000005798000-memory.dmp

memory/412-8-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/412-9-0x0000000004FD0000-0x0000000004FF2000-memory.dmp

memory/412-10-0x00000000057A0000-0x0000000005806000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oncfb0ed.qmp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/412-11-0x0000000005810000-0x0000000005876000-memory.dmp

memory/412-17-0x0000000005880000-0x0000000005BD4000-memory.dmp

memory/412-22-0x0000000005E70000-0x0000000005E8E000-memory.dmp

memory/412-23-0x0000000005F10000-0x0000000005F5C000-memory.dmp

memory/412-24-0x0000000006FE0000-0x0000000007024000-memory.dmp

memory/412-25-0x0000000007190000-0x0000000007206000-memory.dmp

memory/412-27-0x0000000007230000-0x000000000724A000-memory.dmp

memory/412-26-0x0000000007890000-0x0000000007F0A000-memory.dmp

memory/412-29-0x0000000070990000-0x00000000709DC000-memory.dmp

memory/412-28-0x00000000073F0000-0x0000000007422000-memory.dmp

memory/412-41-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/412-42-0x0000000007450000-0x00000000074F3000-memory.dmp

memory/412-40-0x0000000007430000-0x000000000744E000-memory.dmp

memory/412-30-0x0000000070F40000-0x0000000071294000-memory.dmp

memory/412-43-0x0000000007540000-0x000000000754A000-memory.dmp

memory/412-44-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/412-46-0x0000000007600000-0x0000000007696000-memory.dmp

memory/412-47-0x0000000007560000-0x0000000007571000-memory.dmp

memory/920-45-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/412-48-0x00000000075A0000-0x00000000075AE000-memory.dmp

memory/412-49-0x00000000075B0000-0x00000000075C4000-memory.dmp

memory/412-51-0x00000000075E0000-0x00000000075E8000-memory.dmp

memory/412-50-0x00000000076A0000-0x00000000076BA000-memory.dmp

memory/412-54-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/920-58-0x0000000004C80000-0x000000000556B000-memory.dmp

memory/920-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/920-55-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4064-68-0x0000000006290000-0x00000000065E4000-memory.dmp

memory/4064-69-0x00000000068B0000-0x00000000068FC000-memory.dmp

memory/4064-70-0x0000000070A90000-0x0000000070ADC000-memory.dmp

memory/4064-71-0x0000000070C30000-0x0000000070F84000-memory.dmp

memory/4064-81-0x0000000007AD0000-0x0000000007B73000-memory.dmp

memory/4064-82-0x0000000007E20000-0x0000000007E31000-memory.dmp

memory/4064-83-0x0000000006630000-0x0000000006644000-memory.dmp

memory/4936-94-0x0000000005A60000-0x0000000005DB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8e03a563df2d3fbd927ab41a2a4b26db
SHA1 b1cf26439bf4c66a39616dcbae4c6002d0084a27
SHA256 1f96215802788598742d3d148f02930ac238e259dec49bd23fce8f1ef6137d9e
SHA512 91cbf3782be2b75e9e705bba3188d2fddbb81492beddd3313209ef5eff59ee72d3776d004f0d891005bb605557f61292b153a9c8b77e3ab035c6c1961b8b549f

memory/4936-97-0x0000000070A90000-0x0000000070ADC000-memory.dmp

memory/4936-98-0x0000000071230000-0x0000000071584000-memory.dmp

memory/3952-96-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 38989c9d938dd8be683d4ab11f1cda25
SHA1 081a6ba84933c8a544556ed2e6098693439f3386
SHA256 04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7
SHA512 e54564fb34014a5cd96fcde64c68161efa8c3790636550c0a0977645ea0b7bc4addb069227b8d18f709f2ca03956cd6071fbd32935015f108f7b08fb0618b200

memory/3952-114-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1004-117-0x0000000006320000-0x0000000006674000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8ecafa4adac61d2ab474b3ebffbfabca
SHA1 282c3c82ecd6a086565fdaf191ff6e95b13885ae
SHA256 acca74d2cef41c3077530d9f3ff05efa337edbf97150cd5816d696b734d60cd0
SHA512 24e328d24eb6ebb930e64e67eaf5d44b782c3f121401df7f303d11566da8f891ee6f9c27caad215f57f404ae35c61f02dfb9c4e09209d4ea407a2c51370a5e8f

memory/1004-126-0x00000000069E0000-0x0000000006A2C000-memory.dmp

memory/1004-127-0x00000000709F0000-0x0000000070A3C000-memory.dmp

memory/1004-128-0x0000000071190000-0x00000000714E4000-memory.dmp

memory/1004-138-0x0000000007C30000-0x0000000007CD3000-memory.dmp

memory/1004-139-0x0000000007F40000-0x0000000007F51000-memory.dmp

memory/1004-140-0x00000000067B0000-0x00000000067C4000-memory.dmp

memory/1256-148-0x0000000005C90000-0x0000000005FE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 72911b28788ecf377e3f79e9690e069a
SHA1 137bf2cc61cc6368c6a4bcb4b72d2352ff440a59
SHA256 0b4f07d1c5fb82c51280afd0b3e3dd681f57c60fafb004b272766eedfb49982b
SHA512 a291e9e25d181f20132abaadf5616c56a1676e060ae419652239ba65afa0bda0f50abc251a3b8deb23b808bbdb750648506a08b9be48101a2a6e2561dd894753

memory/1256-153-0x0000000006370000-0x00000000063BC000-memory.dmp

memory/1256-155-0x00000000710A0000-0x00000000713F4000-memory.dmp

memory/1256-154-0x0000000070910000-0x000000007095C000-memory.dmp

memory/1256-165-0x0000000007560000-0x0000000007603000-memory.dmp

memory/1256-166-0x0000000007890000-0x00000000078A1000-memory.dmp

memory/1256-167-0x0000000006130000-0x0000000006144000-memory.dmp

memory/776-178-0x0000000006090000-0x00000000063E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 93a4146fc90d01d78ca4309e6a7efa8a
SHA1 d1baadc40a5e3cb0b8420ff684cbeabe09c6bf94
SHA256 a216315e9bfde9820030e6b3cc7dd1f615c6ba05b125990d30902864117a6e22
SHA512 057b772caa97fca319d41f8b23cdc72b765ae61d2a5e1a0d19a67feae84f9407afb9e4fa898aa250cc00a3a942f5d35e044adfc89ef2661442f302eceb417471

memory/776-180-0x0000000070910000-0x000000007095C000-memory.dmp

memory/776-181-0x0000000070AC0000-0x0000000070E14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/952-192-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2924-202-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/952-201-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2896-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2924-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/952-208-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2896-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/952-210-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2896-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/952-212-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/952-214-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/952-216-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/952-218-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/952-220-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/952-222-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/952-224-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/952-226-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 13:24

Reported

2024-05-17 13:26

Platform

win11-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1532 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1532 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1532 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\system32\cmd.exe
PID 3804 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\system32\cmd.exe
PID 1160 wrote to memory of 4688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1160 wrote to memory of 4688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3804 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3804 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\rss\csrss.exe
PID 3804 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\rss\csrss.exe
PID 3804 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe C:\Windows\rss\csrss.exe
PID 1872 wrote to memory of 1956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 1956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 1956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 5112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 5112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 5112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 3832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 3832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 3832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 1952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1872 wrote to memory of 1952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2756 wrote to memory of 4788 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4788 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4788 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4788 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4788 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4788 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe

"C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe

"C:\Users\Admin\AppData\Local\Temp\04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1532 -ip 1532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3804 -ip 3804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 40dd2da2-8ada-49c4-ab64-697701b1f908.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server6.databaseupgrade.ru udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.108:443 server6.databaseupgrade.ru tcp

Files

memory/1532-1-0x00000000049B0000-0x0000000004DAA000-memory.dmp

memory/1532-2-0x0000000004DB0000-0x000000000569B000-memory.dmp

memory/1532-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4936-4-0x00000000749BE000-0x00000000749BF000-memory.dmp

memory/4936-5-0x0000000003140000-0x0000000003176000-memory.dmp

memory/4936-6-0x0000000005990000-0x0000000005FBA000-memory.dmp

memory/4936-7-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4936-8-0x0000000005660000-0x0000000005682000-memory.dmp

memory/4936-10-0x00000000060A0000-0x0000000006106000-memory.dmp

memory/4936-9-0x0000000005FC0000-0x0000000006026000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d3lybngt.aaq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4936-19-0x00000000061A0000-0x00000000064F7000-memory.dmp

memory/4936-20-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4936-21-0x0000000006600000-0x000000000661E000-memory.dmp

memory/4936-22-0x0000000006650000-0x000000000669C000-memory.dmp

memory/4936-23-0x0000000006B80000-0x0000000006BC6000-memory.dmp

memory/4936-25-0x0000000070C20000-0x0000000070C6C000-memory.dmp

memory/4936-24-0x0000000007A40000-0x0000000007A74000-memory.dmp

memory/4936-26-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4936-27-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/4936-37-0x0000000007AA0000-0x0000000007B44000-memory.dmp

memory/4936-38-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/4936-36-0x0000000007A80000-0x0000000007A9E000-memory.dmp

memory/4936-39-0x0000000008210000-0x000000000888A000-memory.dmp

memory/4936-40-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

memory/4936-41-0x0000000007C00000-0x0000000007C0A000-memory.dmp

memory/4936-42-0x0000000007D10000-0x0000000007DA6000-memory.dmp

memory/4936-43-0x0000000007C20000-0x0000000007C31000-memory.dmp

memory/4936-44-0x0000000007C70000-0x0000000007C7E000-memory.dmp

memory/4936-45-0x0000000007C80000-0x0000000007C95000-memory.dmp

memory/4936-46-0x0000000007CD0000-0x0000000007CEA000-memory.dmp

memory/4936-47-0x0000000007CF0000-0x0000000007CF8000-memory.dmp

memory/4936-50-0x00000000749B0000-0x0000000075161000-memory.dmp

memory/1532-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1532-54-0x0000000004DB0000-0x000000000569B000-memory.dmp

memory/1532-52-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2324-60-0x00000000063F0000-0x0000000006747000-memory.dmp

memory/2324-64-0x0000000006970000-0x00000000069BC000-memory.dmp

memory/2324-65-0x0000000070D30000-0x0000000070D7C000-memory.dmp

memory/2324-66-0x0000000070F80000-0x00000000712D7000-memory.dmp

memory/2324-75-0x0000000007B40000-0x0000000007BE4000-memory.dmp

memory/2324-76-0x0000000007E70000-0x0000000007E81000-memory.dmp

memory/2324-77-0x0000000007EC0000-0x0000000007ED5000-memory.dmp

memory/3804-80-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3268-90-0x0000000005A50000-0x0000000005DA7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 39e0754df4abee64ac2dfe33f5ba6261
SHA1 6a86bac7179fb94cd270750d793354f68c1c0e6a
SHA256 6b0b83789978b2465eaab29346a5e22c1f6f57ec892207e997906bead2a259dc
SHA512 3922027ab036564dd77598150397ee5615536c6225c69374ed4b410c2d107b1f408a68f95df6026be8a476f5be303319777914c5955efb85d20465c93f5a097e

memory/3268-92-0x0000000070D30000-0x0000000070D7C000-memory.dmp

memory/3268-93-0x0000000070EB0000-0x0000000071207000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 36426c75451ec349acdd2159b83d22a2
SHA1 878eec381f4633c0feba2457099aee94b0935177
SHA256 81f44135fc6d5ea57d3fc27a4c2e2ae3d9fb395f29e5835726e5b4ecb8683f2c
SHA512 fb97b222897c2be5cf5be8d47e96cb2e91a0f4222351c7a12da9897f28f8d7835b8fda61f2233191341c37586c5f2f81cbf2a9636c4a2398b93ef641a8b124cf

memory/2672-112-0x0000000070D30000-0x0000000070D7C000-memory.dmp

memory/2672-113-0x0000000070F80000-0x00000000712D7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 38989c9d938dd8be683d4ab11f1cda25
SHA1 081a6ba84933c8a544556ed2e6098693439f3386
SHA256 04a6fdf28550311c1486c787ca593d1bc63db2598d6d4dfbf0b72857d15ac8a7
SHA512 e54564fb34014a5cd96fcde64c68161efa8c3790636550c0a0977645ea0b7bc4addb069227b8d18f709f2ca03956cd6071fbd32935015f108f7b08fb0618b200

memory/3804-128-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1956-137-0x0000000005570000-0x00000000058C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 06a0a61793c338fc061651000f64d055
SHA1 96eecc8811b49a3b873e96817a3a6906ec543d65
SHA256 57caf29f4b99c4abe69932e064761d5c07dc91d6e74def80162b3ae0d36cef77
SHA512 54b0237fe636b72cb3d40da0d16052866f893deab5d4d5889ebf463f49e76009db9f0007c61fec4e7b0d3910bb1521f67ecfcba53b885450ec0e5ac621d9647a

memory/1956-139-0x0000000005B70000-0x0000000005BBC000-memory.dmp

memory/1956-140-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/1956-141-0x0000000070E10000-0x0000000071167000-memory.dmp

memory/1956-150-0x0000000006D80000-0x0000000006E24000-memory.dmp

memory/1956-151-0x00000000070A0000-0x00000000070B1000-memory.dmp

memory/1956-153-0x0000000005920000-0x0000000005935000-memory.dmp

memory/1872-152-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5112-163-0x0000000006370000-0x00000000066C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f8d9470ab204c64f8fea3d961783a76c
SHA1 947b9f37984d5d59285c2fe8f20b705631adf3bb
SHA256 b4263244f3b365852c77c96d214d113472992064b4312c405180f71c12bb0fc1
SHA512 528c516b06fd8d8b3dcb6a81a9d733af4d0a1428f0ec49471e5c1d1165300b54924541fa6d2412ab4afc87fdcebefd0b8c72e2a9fb66b5f6e8a119ed2cb09a01

memory/5112-165-0x0000000006E00000-0x0000000006E4C000-memory.dmp

memory/5112-166-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/5112-167-0x0000000070E00000-0x0000000071157000-memory.dmp

memory/5112-176-0x0000000007B20000-0x0000000007BC4000-memory.dmp

memory/5112-177-0x0000000007E40000-0x0000000007E51000-memory.dmp

memory/5112-178-0x00000000062E0000-0x00000000062F5000-memory.dmp

memory/3832-188-0x0000000005A40000-0x0000000005D97000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 501d0bf33690e0a469da6bd91f2516fe
SHA1 2b93d2ffe9afd686a7edd950c15a27c252fc4dcd
SHA256 b71e2fc3b6d10d0663681e6a344571b01b3dc8ac3546925ce8aae45193f81b0f
SHA512 2de45440bb73807ffbec123e84e2561824ef0da0d1473e869457e999f602a8a056a5bbaa9b1c3ef5ad4bb33472d51f2fca52b0d042edd29d878e51d785926982

memory/3832-190-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/3832-191-0x0000000070D30000-0x0000000071087000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1872-206-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2756-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1572-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2756-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1872-216-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1572-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1872-218-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1872-220-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1572-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1872-222-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1872-224-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1872-226-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1872-228-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1872-230-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1872-232-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1872-234-0x0000000000400000-0x0000000002B0D000-memory.dmp