Malware Analysis Report

2025-08-10 17:18

Sample ID 240418-y57e9sfb3s
Target 23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15
SHA256 23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15
Tags
glupteba discovery dropper evasion loader persistence upx rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15

Threat Level: Known bad

The file 23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence upx rootkit

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-18 20:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 20:23

Reported

2024-04-18 20:25

Platform

win10v2004-20240226-en

Max time kernel

98s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5080 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\system32\cmd.exe
PID 3524 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\system32\cmd.exe
PID 4944 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4944 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3524 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\rss\csrss.exe
PID 3524 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\rss\csrss.exe
PID 3524 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\rss\csrss.exe
PID 4436 wrote to memory of 3828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\sc.exe
PID 4436 wrote to memory of 3828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\sc.exe
PID 4436 wrote to memory of 3828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\sc.exe
PID 4436 wrote to memory of 2592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4436 wrote to memory of 2592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4436 wrote to memory of 2592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe

"C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe

"C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5080 -ip 5080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 34014d38-4507-4eb9-af72-9b051349cd08.uuid.dumperstats.org udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server11.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server11.dumperstats.org tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/5080-1-0x0000000003510000-0x0000000003917000-memory.dmp

memory/5080-2-0x00000000050C0000-0x00000000059AB000-memory.dmp

memory/5080-3-0x0000000000400000-0x0000000003009000-memory.dmp

memory/1868-4-0x00000000747B0000-0x0000000074F60000-memory.dmp

memory/1868-5-0x00000000052F0000-0x0000000005300000-memory.dmp

memory/1868-6-0x0000000005140000-0x0000000005176000-memory.dmp

memory/1868-7-0x0000000005930000-0x0000000005F58000-memory.dmp

memory/1868-8-0x0000000005750000-0x0000000005772000-memory.dmp

memory/1868-9-0x0000000006050000-0x00000000060B6000-memory.dmp

memory/1868-10-0x0000000005FE0000-0x0000000006046000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_da1iwhpf.hzb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1868-20-0x00000000060C0000-0x0000000006414000-memory.dmp

memory/1868-21-0x0000000006730000-0x000000000674E000-memory.dmp

memory/1868-22-0x0000000006780000-0x00000000067CC000-memory.dmp

memory/5080-23-0x0000000000400000-0x0000000003009000-memory.dmp

memory/1868-24-0x0000000006C80000-0x0000000006CC4000-memory.dmp

memory/1868-25-0x00000000052F0000-0x0000000005300000-memory.dmp

memory/1868-26-0x0000000007A50000-0x0000000007AC6000-memory.dmp

memory/1868-28-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

memory/1868-27-0x0000000008150000-0x00000000087CA000-memory.dmp

memory/1868-29-0x000000007F7F0000-0x000000007F800000-memory.dmp

memory/1868-31-0x0000000070650000-0x000000007069C000-memory.dmp

memory/1868-42-0x0000000007C90000-0x0000000007CAE000-memory.dmp

memory/1868-32-0x00000000707D0000-0x0000000070B24000-memory.dmp

memory/1868-30-0x0000000007CB0000-0x0000000007CE2000-memory.dmp

memory/1868-43-0x0000000007CF0000-0x0000000007D93000-memory.dmp

memory/1868-44-0x0000000007DE0000-0x0000000007DEA000-memory.dmp

memory/1868-45-0x0000000007EA0000-0x0000000007F36000-memory.dmp

memory/1868-46-0x0000000007E00000-0x0000000007E11000-memory.dmp

memory/5080-47-0x0000000003510000-0x0000000003917000-memory.dmp

memory/1868-48-0x0000000007E40000-0x0000000007E4E000-memory.dmp

memory/1868-49-0x0000000007E50000-0x0000000007E64000-memory.dmp

memory/1868-50-0x0000000007F40000-0x0000000007F5A000-memory.dmp

memory/1868-51-0x0000000007E90000-0x0000000007E98000-memory.dmp

memory/1868-54-0x00000000747B0000-0x0000000074F60000-memory.dmp

memory/5080-56-0x0000000000400000-0x0000000003009000-memory.dmp

memory/5080-57-0x00000000050C0000-0x00000000059AB000-memory.dmp

memory/3524-59-0x0000000003430000-0x0000000003837000-memory.dmp

memory/3524-60-0x0000000000400000-0x0000000003009000-memory.dmp

memory/1368-61-0x0000000074850000-0x0000000075000000-memory.dmp

memory/1368-62-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

memory/1368-63-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

memory/1368-73-0x0000000005FD0000-0x0000000006324000-memory.dmp

memory/1368-74-0x0000000006840000-0x000000000688C000-memory.dmp

memory/1368-75-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

memory/1368-76-0x0000000070750000-0x000000007079C000-memory.dmp

memory/1368-77-0x00000000708D0000-0x0000000070C24000-memory.dmp

memory/1368-87-0x00000000076B0000-0x0000000007753000-memory.dmp

memory/1368-88-0x00000000079A0000-0x00000000079B1000-memory.dmp

memory/1368-89-0x0000000007A10000-0x0000000007A24000-memory.dmp

memory/1368-92-0x0000000074850000-0x0000000075000000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/3524-94-0x0000000000400000-0x0000000003009000-memory.dmp

memory/4168-100-0x0000000074850000-0x0000000075000000-memory.dmp

memory/4168-101-0x00000000055E0000-0x0000000005934000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dec154e58554e5829b25f33ee6efa7f7
SHA1 9a88c3f7f4d63182a417097d637be7b6cebcad36
SHA256 c7e352ac673d03055af94d4a3c594e34e1b732dda2aac8e0e9fa4e980a0e4a0b
SHA512 588777c90f23b7d26edcaf72656b7a68930ae764602259b38ef81899898a0c2ee354fd2c923a157a3e75b07659fb9f9ca9da318e2a7e52b95e56e0a204b2a678

memory/3524-107-0x0000000003430000-0x0000000003837000-memory.dmp

memory/4168-108-0x0000000002310000-0x0000000002320000-memory.dmp

memory/4168-109-0x0000000070750000-0x000000007079C000-memory.dmp

memory/4168-110-0x0000000070F10000-0x0000000071264000-memory.dmp

memory/4168-120-0x000000007FA10000-0x000000007FA20000-memory.dmp

memory/4168-122-0x0000000074850000-0x0000000075000000-memory.dmp

memory/3216-123-0x0000000074850000-0x0000000075000000-memory.dmp

memory/3216-124-0x00000000050C0000-0x00000000050D0000-memory.dmp

memory/3216-129-0x0000000006000000-0x0000000006354000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a64ffea2a176caeb1e647bf3f528a8fe
SHA1 53a7b64d924790c1f21196bff9b8a6366ace5f96
SHA256 1b57164c3a8dcb945390f6e4a5a7fcdd8c5a8a804466e44362bd18def9cc6e56
SHA512 59d7d46ae8d39a1132ca7d9a60bff736dc396671a63f3baa759e4821543ecee8b841f05a105b786e85c7d59a2c5afa8561909f228fc9beee8f8547c3b0a3da3a

memory/3216-136-0x00000000050C0000-0x00000000050D0000-memory.dmp

memory/3216-137-0x000000007F210000-0x000000007F220000-memory.dmp

memory/3216-139-0x0000000070EF0000-0x0000000071244000-memory.dmp

memory/3216-138-0x0000000070750000-0x000000007079C000-memory.dmp

memory/3216-150-0x0000000074850000-0x0000000075000000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 8b65c04554fdc08623e5a74f8f9b9fd2
SHA1 2eda34fba02fde8495b70060623c64d8938c82e8
SHA256 23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15
SHA512 64d6cda2aef8d337d5561ce59170431bb76ca4a00ff66e7d61f2f77622f0e68ea5f31b7459321b3f161a182d943a0adb7c09c21c3defd70a23a4a00410bf3a86

memory/3524-154-0x0000000000400000-0x0000000003009000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 00895e6e7114a28f7d9f699eeba2da82
SHA1 5e8cec1cf0a3331edd7cccf34218fbba5b1df6cb
SHA256 fba1fe5a9d1a5449a1fab1f5c0c3fbfb2a6378786d50f21ae0590d2f05506e3a
SHA512 0896d936d16aefa7016e4e0e87621c8c5d4f533b934ad2eafa68eb9ea755a1a6f46484e34680737f6534138d33348b7e590abec13f156fba24f96fbc61dbe2e2

memory/4436-191-0x0000000000400000-0x0000000003009000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b7d8327239cb55aed03906e49faf5712
SHA1 1d4cb7b4cd2b34f51e12e1b5ff40e85492f24912
SHA256 47ea54863608a815df53d00aaa5308bc76fb383aef37f0077f6c1811337ea64b
SHA512 48fe06ac955abcebbc6838650de730577b9b01b4175929abd1f734f5b61b20a435ceda6b2570a94b8f518d7060c3a167b7bce64268a62948f35667b35a48538a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d9c32e32250e177564c5c3f6cc40d107
SHA1 3263527b4b0a60f273bd3f3c018740266d2bb976
SHA256 c29cee641d2201a54d9f696b5638f311ba4900c6a5055395f87c5185ab27685a
SHA512 9e86a1e432b62d46197e78c578f646950d4a83c32c12b26c5fffec6b39e3a6a39efa00d871c2322aff01e2f06d42e165e95863ebb641fe332c434e72308a446b

memory/4436-241-0x0000000000400000-0x0000000003009000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4436-261-0x0000000000400000-0x0000000003009000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2184-269-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4436-270-0x0000000000400000-0x0000000003009000-memory.dmp

memory/1956-271-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4436-272-0x0000000000400000-0x0000000003009000-memory.dmp

memory/4436-274-0x0000000000400000-0x0000000003009000-memory.dmp

memory/1956-275-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4436-276-0x0000000000400000-0x0000000003009000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-18 20:23

Reported

2024-04-18 20:26

Platform

win11-20240412-en

Max time kernel

157s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4041115548-3858121278-1660933110-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4041115548-3858121278-1660933110-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5036 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5036 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\system32\cmd.exe
PID 404 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 4284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3764 wrote to memory of 4284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 404 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\rss\csrss.exe
PID 404 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\rss\csrss.exe
PID 404 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe C:\Windows\rss\csrss.exe
PID 2780 wrote to memory of 2524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2524 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 1592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 1592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 1592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 900 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 900 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 900 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 3176 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2780 wrote to memory of 3176 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2704 wrote to memory of 3084 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3084 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3084 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3084 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3084 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe

"C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe

"C:\Users\Admin\AppData\Local\Temp\23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server15.dumperstats.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
BG 185.82.216.111:443 server15.dumperstats.org tcp

Files

memory/5036-1-0x00000000034B0000-0x00000000038B2000-memory.dmp

memory/5036-2-0x0000000005160000-0x0000000005A4B000-memory.dmp

memory/5036-3-0x0000000000400000-0x0000000003009000-memory.dmp

memory/3208-4-0x0000000002DE0000-0x0000000002E16000-memory.dmp

memory/3208-6-0x0000000005530000-0x0000000005B5A000-memory.dmp

memory/3208-5-0x0000000074280000-0x0000000074A31000-memory.dmp

memory/3208-7-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3208-8-0x00000000053E0000-0x0000000005402000-memory.dmp

memory/3208-9-0x0000000005480000-0x00000000054E6000-memory.dmp

memory/3208-10-0x0000000005CD0000-0x0000000005D36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ed0mr0p1.bd2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3208-17-0x0000000005D80000-0x00000000060D7000-memory.dmp

memory/3208-20-0x00000000062C0000-0x00000000062DE000-memory.dmp

memory/3208-21-0x0000000006870000-0x00000000068BC000-memory.dmp

memory/3208-22-0x00000000067F0000-0x0000000006836000-memory.dmp

memory/5036-23-0x0000000000400000-0x0000000003009000-memory.dmp

memory/3208-24-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3208-25-0x000000007FD80000-0x000000007FD90000-memory.dmp

memory/3208-26-0x00000000076F0000-0x0000000007724000-memory.dmp

memory/3208-27-0x00000000704F0000-0x000000007053C000-memory.dmp

memory/3208-28-0x0000000070670000-0x00000000709C7000-memory.dmp

memory/3208-37-0x00000000076D0000-0x00000000076EE000-memory.dmp

memory/3208-38-0x0000000007730000-0x00000000077D4000-memory.dmp

memory/3208-39-0x0000000007EA0000-0x000000000851A000-memory.dmp

memory/3208-40-0x0000000007860000-0x000000000787A000-memory.dmp

memory/3208-41-0x00000000078A0000-0x00000000078AA000-memory.dmp

memory/3208-42-0x00000000079B0000-0x0000000007A46000-memory.dmp

memory/3208-43-0x00000000078C0000-0x00000000078D1000-memory.dmp

memory/3208-44-0x0000000007910000-0x000000000791E000-memory.dmp

memory/3208-45-0x0000000007920000-0x0000000007935000-memory.dmp

memory/3208-46-0x0000000007970000-0x000000000798A000-memory.dmp

memory/3208-47-0x0000000007990000-0x0000000007998000-memory.dmp

memory/3208-50-0x0000000074280000-0x0000000074A31000-memory.dmp

memory/5036-52-0x0000000000400000-0x0000000003009000-memory.dmp

memory/5036-53-0x0000000005160000-0x0000000005A4B000-memory.dmp

memory/404-54-0x0000000003600000-0x0000000003A00000-memory.dmp

memory/404-55-0x0000000000400000-0x0000000003009000-memory.dmp

memory/4864-56-0x0000000074320000-0x0000000074AD1000-memory.dmp

memory/4864-57-0x0000000002D30000-0x0000000002D40000-memory.dmp

memory/4864-63-0x0000000006130000-0x0000000006487000-memory.dmp

memory/4864-67-0x00000000069C0000-0x0000000006A0C000-memory.dmp

memory/4864-68-0x0000000002D30000-0x0000000002D40000-memory.dmp

memory/4864-70-0x0000000070600000-0x000000007064C000-memory.dmp

memory/4864-69-0x000000007F450000-0x000000007F460000-memory.dmp

memory/4864-71-0x0000000070810000-0x0000000070B67000-memory.dmp

memory/4864-80-0x0000000007850000-0x00000000078F4000-memory.dmp

memory/4864-81-0x0000000007B80000-0x0000000007B91000-memory.dmp

memory/4864-82-0x0000000007BD0000-0x0000000007BE5000-memory.dmp

memory/4864-85-0x0000000074320000-0x0000000074AD1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/404-87-0x0000000000400000-0x0000000003009000-memory.dmp

memory/4352-90-0x0000000003200000-0x0000000003210000-memory.dmp

memory/4352-89-0x0000000003200000-0x0000000003210000-memory.dmp

memory/4352-88-0x0000000074320000-0x0000000074AD1000-memory.dmp

memory/404-91-0x0000000003600000-0x0000000003A00000-memory.dmp

memory/4352-92-0x0000000006190000-0x00000000064E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a24447ba16beeb6bae6e024c9d7df2d9
SHA1 6409a61a7bdd1772be96dfca5eda5ca24ef39ff4
SHA256 0bc01089a524a542922a8ef4b5d14104a980ba9d06b9e385c26a965eab999371
SHA512 0568dd25d6dd24ac1d93ed54577210025296d2f93516d7519e64918f1c054f0bf34edd5ad8d422fac7747a40a9115092a8a28252280f5205019395b2672f370e

memory/4352-102-0x000000007FC70000-0x000000007FC80000-memory.dmp

memory/4352-103-0x0000000070600000-0x000000007064C000-memory.dmp

memory/4352-104-0x0000000070850000-0x0000000070BA7000-memory.dmp

memory/4352-114-0x0000000074320000-0x0000000074AD1000-memory.dmp

memory/404-123-0x0000000000400000-0x0000000003009000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 adcecb1b7161c88df2d59085077733f2
SHA1 76b75d1a05610dfd6871ba7ba8bee9bc3f99ab31
SHA256 576c1cb77711bb627b8b06a3f4000a5b4ab4b77d0655709fb71b592a3ad16e59
SHA512 7b99c21437a3f471f5f6273bdb9130b04d69ba0a608a669649010124f1edd9dec93b937aed9010a40faeb90f3842e922581088d0cb6cf8dc36b83c460e7147be

memory/4104-125-0x0000000074320000-0x0000000074AD1000-memory.dmp

memory/4104-126-0x0000000003340000-0x0000000003350000-memory.dmp

memory/4104-127-0x0000000003340000-0x0000000003350000-memory.dmp

memory/4104-128-0x000000007F150000-0x000000007F160000-memory.dmp

memory/4104-129-0x0000000070600000-0x000000007064C000-memory.dmp

memory/4104-130-0x0000000070850000-0x0000000070BA7000-memory.dmp

memory/4104-140-0x0000000074320000-0x0000000074AD1000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 8b65c04554fdc08623e5a74f8f9b9fd2
SHA1 2eda34fba02fde8495b70060623c64d8938c82e8
SHA256 23e9be12f1a03f88ca40ca44e5c9727fa0379c277b2ffc7c54114ec7878f3e15
SHA512 64d6cda2aef8d337d5561ce59170431bb76ca4a00ff66e7d61f2f77622f0e68ea5f31b7459321b3f161a182d943a0adb7c09c21c3defd70a23a4a00410bf3a86

memory/404-145-0x0000000000400000-0x0000000003009000-memory.dmp

memory/2780-148-0x0000000003800000-0x0000000003C00000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a67ef0f6238a3d6e0bd4cd75e80a932a
SHA1 9bcb6475811459183867e45412739d49bbd0d2f2
SHA256 4611a6f1f876d80de0129d7a62638787cf655a684f42c7165b950615286c98d6
SHA512 5c50a66fe05016a3f9d0b19c487b23e46934423efc28e1c829c3476e641269200a6506f3c806a9e3a0b7168455324c2583582139d74377897947f65522c459d9

memory/2780-181-0x0000000000400000-0x0000000003009000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 52a8487b52362d9e74eebfa2acff52c6
SHA1 9ea19a79d7dc68fb4fd4b4d9436594b3cd1f49e7
SHA256 e5c34d047fe1737f2c95f74664c3e65fb8e73875b7c8ff60e966713349c5accb
SHA512 7e42c480f1b003f253e9db596e69a00d575e64d79206f9f4d75c4c56421e01789a0ae6c2e544e84c9b11aeb2e4e0854805383f7f0046b8622093760811d02a59

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 669e20bd2d47f85de65a74cce4971567
SHA1 a8b9069164eac595ab364d47574f4c8436d06d4d
SHA256 6c2878e1733934059a5822eb4d7bb9beef5ba3a399f609b243ad19a851889378
SHA512 d95e57c804fab192c0f784a4fb71c85bdc047906f58bbc2e10d62511243e4f524ce9e992e8a6ef0ecbe86f83a7ce43ec1992e68f0f5577de101047dd1807b5a9

memory/2780-240-0x0000000000400000-0x0000000003009000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2780-247-0x0000000000400000-0x0000000003009000-memory.dmp

memory/2704-251-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2780-252-0x0000000000400000-0x0000000003009000-memory.dmp

memory/3100-253-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2780-254-0x0000000000400000-0x0000000003009000-memory.dmp

memory/2780-256-0x0000000000400000-0x0000000003009000-memory.dmp

memory/3100-257-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2780-258-0x0000000000400000-0x0000000003009000-memory.dmp