Malware Analysis Report

2025-03-14 22:51

Sample ID 240406-1fm2fabf4t
Target e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37
SHA256 e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37

Threat Level: Known bad

The file e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Program crash

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:35

Reported

2024-04-06 21:38

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\system32\cmd.exe
PID 1248 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4476 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1248 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\rss\csrss.exe
PID 1248 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\rss\csrss.exe
PID 1248 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\rss\csrss.exe
PID 1184 wrote to memory of 4244 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1184 wrote to memory of 4244 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1184 wrote to memory of 4244 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1184 wrote to memory of 3160 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1184 wrote to memory of 3160 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1184 wrote to memory of 3160 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1184 wrote to memory of 3188 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1184 wrote to memory of 3188 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1184 wrote to memory of 3188 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1184 wrote to memory of 1708 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1184 wrote to memory of 1708 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2624 wrote to memory of 3104 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 3104 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 3104 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3104 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3104 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe

"C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe

"C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 b3707a01-d7f9-4f28-a0b8-00b83107ba15.uuid.dumperstats.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server9.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
JP 74.125.27.12:19302 stun4.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server9.dumperstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 12.27.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
BG 185.82.216.111:443 server9.dumperstats.org tcp
BG 185.82.216.111:443 server9.dumperstats.org tcp

Files

memory/2424-1-0x0000000004F90000-0x000000000538A000-memory.dmp

memory/2424-2-0x0000000005390000-0x0000000005C7B000-memory.dmp

memory/2424-3-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/5084-5-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/5084-4-0x0000000002860000-0x0000000002896000-memory.dmp

memory/5084-6-0x0000000002920000-0x0000000002930000-memory.dmp

memory/5084-8-0x0000000002920000-0x0000000002930000-memory.dmp

memory/5084-7-0x0000000004FD0000-0x00000000055F8000-memory.dmp

memory/5084-9-0x0000000004E80000-0x0000000004EA2000-memory.dmp

memory/5084-11-0x00000000056E0000-0x0000000005746000-memory.dmp

memory/5084-10-0x0000000005670000-0x00000000056D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ui0nqot.1ys.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5084-21-0x0000000005810000-0x0000000005B64000-memory.dmp

memory/5084-22-0x0000000005E60000-0x0000000005E7E000-memory.dmp

memory/5084-23-0x0000000005EB0000-0x0000000005EFC000-memory.dmp

memory/5084-24-0x00000000063B0000-0x00000000063F4000-memory.dmp

memory/5084-25-0x0000000006F80000-0x0000000006FF6000-memory.dmp

memory/5084-26-0x00000000078B0000-0x0000000007F2A000-memory.dmp

memory/5084-27-0x0000000007230000-0x000000000724A000-memory.dmp

memory/5084-28-0x000000007EEA0000-0x000000007EEB0000-memory.dmp

memory/5084-29-0x00000000073E0000-0x0000000007412000-memory.dmp

memory/5084-31-0x0000000070F00000-0x0000000071254000-memory.dmp

memory/5084-30-0x0000000070D60000-0x0000000070DAC000-memory.dmp

memory/5084-41-0x0000000007420000-0x000000000743E000-memory.dmp

memory/5084-43-0x0000000002920000-0x0000000002930000-memory.dmp

memory/5084-42-0x0000000007440000-0x00000000074E3000-memory.dmp

memory/5084-44-0x0000000007530000-0x000000000753A000-memory.dmp

memory/5084-45-0x0000000002920000-0x0000000002930000-memory.dmp

memory/5084-46-0x00000000075F0000-0x0000000007686000-memory.dmp

memory/5084-47-0x0000000007550000-0x0000000007561000-memory.dmp

memory/5084-48-0x0000000007590000-0x000000000759E000-memory.dmp

memory/5084-49-0x00000000075A0000-0x00000000075B4000-memory.dmp

memory/5084-50-0x0000000007690000-0x00000000076AA000-memory.dmp

memory/5084-51-0x00000000075E0000-0x00000000075E8000-memory.dmp

memory/5084-54-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/2424-55-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/2424-57-0x0000000005390000-0x0000000005C7B000-memory.dmp

memory/1248-58-0x0000000004DB0000-0x00000000051B7000-memory.dmp

memory/1248-59-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/2884-60-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/2884-62-0x00000000027E0000-0x00000000027F0000-memory.dmp

memory/2884-61-0x00000000027E0000-0x00000000027F0000-memory.dmp

memory/2884-72-0x00000000058D0000-0x0000000005C24000-memory.dmp

memory/2884-73-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

memory/2884-75-0x0000000070E60000-0x0000000070EAC000-memory.dmp

memory/2884-74-0x000000007F330000-0x000000007F340000-memory.dmp

memory/2884-76-0x0000000070FE0000-0x0000000071334000-memory.dmp

memory/2884-86-0x00000000027E0000-0x00000000027F0000-memory.dmp

memory/2884-88-0x00000000027E0000-0x00000000027F0000-memory.dmp

memory/2884-87-0x0000000007030000-0x00000000070D3000-memory.dmp

memory/2884-89-0x0000000007340000-0x0000000007351000-memory.dmp

memory/2884-90-0x0000000007390000-0x00000000073A4000-memory.dmp

memory/2884-93-0x0000000074F60000-0x0000000075710000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1120-95-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/1120-96-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

memory/1120-106-0x00000000056D0000-0x0000000005A24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1437e9b2f184ae086603b0aa659ad098
SHA1 00b4d248926a916b4844a897969084935575c3ba
SHA256 dbe97b53136ec6577ab834782f98060934eadf31e575b7db119cf2accc878a3a
SHA512 71e7eca7ac306e79387b393e4ea910db6d844594f89e484507c1c8885370c6ff1c499ce4b7cb3660b64557f2df24821ababe603ffb6a2d1d7afa5a2806466b1c

memory/1120-109-0x0000000070E60000-0x0000000070EAC000-memory.dmp

memory/1120-108-0x000000007F310000-0x000000007F320000-memory.dmp

memory/1120-110-0x0000000071600000-0x0000000071954000-memory.dmp

memory/1248-120-0x0000000004DB0000-0x00000000051B7000-memory.dmp

memory/1120-121-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

memory/1120-122-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

memory/1120-124-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/3572-125-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/3572-126-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/3572-127-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ff0bcad3a5947fc1312c2588c54e3515
SHA1 190448119ee11c9dc457232f8a92630947f54b25
SHA256 aa2682256e20aecca05fa5b0607fe025ecfbd437b790b0b6da0c4e44d600089c
SHA512 24ec7f5dceedaf57bbe93d659be6b338ecf2e96abfe56ef5cd7efe9ed279e7564fedc92a4589ecc085d53446d96f9b4bcc6a1b87e6a262eb74888d3e098d8460

memory/1248-138-0x0000000000400000-0x0000000002F4A000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7c6f12c38071f811585293e811e58fb5
SHA1 affd26e62e65b63ba46234859055f25c8ad74a68
SHA256 e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37
SHA512 94497a18a33eeb38b22cfb4dacb444d26a19a61696780189c704ed19ae8e9e27ae856fbeaee727743a934b73c422c48dd51e6865d9150c5220bea79aa1d0e630

memory/1248-159-0x0000000000400000-0x0000000002F4A000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3ddb7e3bdd7204edf549fa750866309e
SHA1 34be17a4d5a569fdf00f85ceaccab663430df885
SHA256 38fb8b370391d19b3517d5d21066d762e6a324fe37ffd4d5e3fabe4b891d81dc
SHA512 8b4be1bd9dfaeb558f4033552898325ee3ec3a871b3444893b089bc72fca11fd4c7651cdc82ff9fd830657a4613dd96b214fdd23a8dcfc78b438d2f339ed6ff1

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 edd5652d51d81e2d2125bbe5cad0cc62
SHA1 1ced6d69525fd0a4c0173b2a5683329993490f85
SHA256 551bd8c8e41044f3c98b62bcc9116482f1e8edb40ae33b251e50535bc7310212
SHA512 c89aee38d2bb67a95d017d4115d110f6e6dfc64ecac526a3149cabb99e825fd27932c7f70ff20abdc1b57df148ac89a721972e2d5ed019de9e934c38d83f6fa3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a5ad442f8b866a6c62ea5f58288b7748
SHA1 c27b225c59fb1e168bcf650b9a7a43518a5f0b87
SHA256 61321bb0871b2015ebe2dcc73538185556a43a94c51f7ad4d467d9f5a0e3341b
SHA512 249d25ccc9e5da08a2925bb29d99e1f71dddbf0205e18988f2d2d76552e6db6f67171b9216187da141c8841ffa9a82f7a42bf7d312ed733ae74c5e9de0d6280a

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1184-260-0x0000000000400000-0x0000000002F4A000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2624-267-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1184-268-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/1184-269-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/2724-270-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1184-271-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/2724-273-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1184-274-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/1184-276-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/1184-278-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/1184-279-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/2724-280-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1184-281-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/1184-283-0x0000000000400000-0x0000000002F4A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:35

Reported

2024-04-06 21:38

Platform

win11-20240319-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 752 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4928 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4928 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4928 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4928 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\system32\cmd.exe
PID 4928 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3676 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4928 wrote to memory of 72 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4928 wrote to memory of 72 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4928 wrote to memory of 72 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4928 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4928 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4928 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4928 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\rss\csrss.exe
PID 4928 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\rss\csrss.exe
PID 4928 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe C:\Windows\rss\csrss.exe
PID 4328 wrote to memory of 1032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 1032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 1032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 3104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 3104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 3104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 576 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 576 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 576 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 4476 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4328 wrote to memory of 4476 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1288 wrote to memory of 4212 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 4212 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 4212 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4212 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4212 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe

"C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe

"C:\Users\Admin\AppData\Local\Temp\e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 752 -ip 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 server16.dumperstats.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.111:443 server16.dumperstats.org tcp
US 172.67.221.71:443 carsalessystem.com tcp

Files

memory/752-1-0x0000000004F70000-0x000000000536B000-memory.dmp

memory/752-2-0x0000000005370000-0x0000000005C5B000-memory.dmp

memory/752-3-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/992-4-0x00000000026B0000-0x00000000026E6000-memory.dmp

memory/992-5-0x0000000074180000-0x0000000074931000-memory.dmp

memory/992-6-0x0000000002790000-0x00000000027A0000-memory.dmp

memory/992-7-0x0000000005330000-0x000000000595A000-memory.dmp

memory/992-8-0x0000000005000000-0x0000000005022000-memory.dmp

memory/992-9-0x00000000050A0000-0x0000000005106000-memory.dmp

memory/992-10-0x0000000005180000-0x00000000051E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y0aurquv.yzg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/992-16-0x0000000005960000-0x0000000005CB7000-memory.dmp

memory/752-20-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/992-21-0x0000000005E60000-0x0000000005E7E000-memory.dmp

memory/992-22-0x0000000005F30000-0x0000000005F7C000-memory.dmp

memory/992-23-0x0000000006410000-0x0000000006456000-memory.dmp

memory/752-24-0x0000000004F70000-0x000000000536B000-memory.dmp

memory/992-26-0x0000000002790000-0x00000000027A0000-memory.dmp

memory/752-27-0x0000000005370000-0x0000000005C5B000-memory.dmp

memory/992-28-0x0000000007310000-0x0000000007344000-memory.dmp

memory/992-29-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/992-30-0x0000000070660000-0x00000000709B7000-memory.dmp

memory/992-39-0x00000000072F0000-0x000000000730E000-memory.dmp

memory/992-40-0x0000000007350000-0x00000000073F4000-memory.dmp

memory/752-41-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/992-43-0x000000007EE70000-0x000000007EE80000-memory.dmp

memory/992-42-0x0000000074180000-0x0000000074931000-memory.dmp

memory/992-44-0x0000000007AB0000-0x000000000812A000-memory.dmp

memory/992-45-0x0000000007470000-0x000000000748A000-memory.dmp

memory/992-46-0x00000000074B0000-0x00000000074BA000-memory.dmp

memory/992-47-0x0000000007570000-0x0000000007606000-memory.dmp

memory/992-48-0x00000000074F0000-0x0000000007501000-memory.dmp

memory/992-49-0x0000000007520000-0x000000000752E000-memory.dmp

memory/992-50-0x0000000007530000-0x0000000007545000-memory.dmp

memory/992-51-0x0000000007630000-0x000000000764A000-memory.dmp

memory/992-52-0x0000000007610000-0x0000000007618000-memory.dmp

memory/992-55-0x0000000074180000-0x0000000074931000-memory.dmp

memory/752-57-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/4928-58-0x0000000004E70000-0x0000000005276000-memory.dmp

memory/4928-59-0x0000000005280000-0x0000000005B6B000-memory.dmp

memory/4928-60-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/3440-61-0x0000000074220000-0x00000000749D1000-memory.dmp

memory/3440-62-0x0000000005680000-0x0000000005690000-memory.dmp

memory/3440-63-0x0000000005680000-0x0000000005690000-memory.dmp

memory/3440-64-0x00000000063F0000-0x0000000006747000-memory.dmp

memory/3440-73-0x0000000006C80000-0x0000000006CCC000-memory.dmp

memory/3440-74-0x0000000005680000-0x0000000005690000-memory.dmp

memory/3440-75-0x0000000070500000-0x000000007054C000-memory.dmp

memory/3440-76-0x0000000070750000-0x0000000070AA7000-memory.dmp

memory/3440-85-0x0000000007B10000-0x0000000007BB4000-memory.dmp

memory/3440-86-0x0000000007E40000-0x0000000007E51000-memory.dmp

memory/3440-87-0x0000000007E90000-0x0000000007EA5000-memory.dmp

memory/3440-90-0x0000000074220000-0x00000000749D1000-memory.dmp

memory/4928-91-0x0000000000400000-0x0000000002F4A000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4928-93-0x0000000004E70000-0x0000000005276000-memory.dmp

memory/72-94-0x0000000074220000-0x00000000749D1000-memory.dmp

memory/72-96-0x0000000003140000-0x0000000003150000-memory.dmp

memory/72-95-0x0000000003140000-0x0000000003150000-memory.dmp

memory/72-105-0x0000000006040000-0x0000000006397000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1b4446472b1adbb6e4e1a67370a79a2a
SHA1 ec0b063fac61f38758e013db8a7e76e4e8880bfc
SHA256 6bb4b395823f71ec5d2024abbcbbfee3e718093a3729cf2c92fa63d6783a7748
SHA512 3c6bdee3264a518a9a4de0803cc012900f327c74af0487f3b1f1d0b8f1147c904c545a71c5396279ea49a80f977899460b32f1a8a8b140ab6441546e87d09fbc

memory/4928-107-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/72-108-0x000000007F5E0000-0x000000007F5F0000-memory.dmp

memory/72-109-0x0000000070500000-0x000000007054C000-memory.dmp

memory/72-110-0x00000000706A0000-0x00000000709F7000-memory.dmp

memory/72-120-0x0000000074220000-0x00000000749D1000-memory.dmp

memory/4928-121-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/3536-122-0x0000000074220000-0x00000000749D1000-memory.dmp

memory/3536-123-0x0000000004FF0000-0x0000000005000000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e53c6074766b87f30753cb167c804fea
SHA1 74db1c160f9327d49b0e1bb85ec18107a03c329e
SHA256 322004e3a908e22e17308acf52feeff3238dd42f8b5758ccaa43db098ef01f71
SHA512 89f1f511827a94b9124a52bfd4f8208dece8810164e38f2932a349bdc3747646213a7b311f3467e9459eed91d12e0c547ec0fb11b0ca65f6c6d7aa027ecef000

memory/3536-133-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/3536-134-0x0000000070500000-0x000000007054C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7c6f12c38071f811585293e811e58fb5
SHA1 affd26e62e65b63ba46234859055f25c8ad74a68
SHA256 e0b77eda896d4df44450996abccdbfee79d11804f428b944bffbaf40f291da37
SHA512 94497a18a33eeb38b22cfb4dacb444d26a19a61696780189c704ed19ae8e9e27ae856fbeaee727743a934b73c422c48dd51e6865d9150c5220bea79aa1d0e630

memory/4928-150-0x0000000000400000-0x0000000002F4A000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ac92683986ce20cae81144d209ce5886
SHA1 3ab2587d0b3496acedbd399764f96c170f51d87e
SHA256 6ad3625b07c2a45ab4eb5f99bc50384b5dee160db67faa3465eead52d9cc21c1
SHA512 825916a9670717fa651e06313456121a3bff590dd6789f11d0994794df661f616fd4dae44c862533a1eb64b87dba8bf7cc93d711ca3c72e8f5cee398a06a0e0c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 803102101146bc96be972bab2aa9b78d
SHA1 64fb6c6328f21bd95b9b20a98ed4198bf62c3b6e
SHA256 095a4aa2b3ac637fa46de7b8acd62fb93ac808233e7b41d9246789289772b4f2
SHA512 2fe3600bb12241c113f1298f5c812fe70563a24cab39695d9949e428436cc1cbcbb2a49fbe6c5965c224c0e9a6a9c7b539699c2e6cc3adfc607278e120f681e4

memory/4328-210-0x0000000000400000-0x0000000002F4A000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a526bfacf97aa24a612e6528e577daee
SHA1 465fc30433bec4192c71f77bb3ad0510d88dd396
SHA256 25ed0fc7b9e3a18f5194a30b94f5c8be2f6ab299cd252a1551e31ada0905ce31
SHA512 8ed4b8b83a1788fc38376d052d19fa0653b85bf1b5f24efab276f1edb1b21fb078d38c676c557b24feb263939331b95d65407444a79b0ef7202d73699005ec28

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4328-244-0x0000000000400000-0x0000000002F4A000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1288-251-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4328-252-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/4328-253-0x0000000000400000-0x0000000002F4A000-memory.dmp

memory/2348-254-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4328-256-0x0000000000400000-0x0000000002F4A000-memory.dmp