Malware Analysis Report

2025-08-06 03:33

Sample ID 240419-xvszfsdg31
Target 2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c
SHA256 2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c

Threat Level: Known bad

The file 2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 19:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 19:10

Reported

2024-04-19 19:13

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3704 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3704 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3704 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3012 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1392 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\rss\csrss.exe
PID 1392 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\rss\csrss.exe
PID 1392 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\rss\csrss.exe
PID 1572 wrote to memory of 3712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 3712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 3712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 3148 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 3148 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 3148 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 1904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 1904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 1904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 4632 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1572 wrote to memory of 4632 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4476 wrote to memory of 4364 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4364 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4364 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4364 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4364 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe

"C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe

"C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 146.128.101.95.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 105.104.123.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 e3f563cb-1842-4f85-9202-4c5952664bb6.uuid.dumppage.org udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server15.dumppage.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server15.dumppage.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 3.33.249.248:3478 stun.sipgate.net udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.111:443 server15.dumppage.org tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
N/A 127.0.0.1:31465 tcp

Files

memory/3704-1-0x0000000003BE0000-0x0000000003FE2000-memory.dmp

memory/3704-2-0x0000000003FF0000-0x00000000048DB000-memory.dmp

memory/3704-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5032-5-0x0000000074490000-0x0000000074C40000-memory.dmp

memory/5032-4-0x0000000004800000-0x0000000004836000-memory.dmp

memory/5032-6-0x0000000004910000-0x0000000004920000-memory.dmp

memory/5032-7-0x0000000004910000-0x0000000004920000-memory.dmp

memory/5032-8-0x0000000004F50000-0x0000000005578000-memory.dmp

memory/5032-9-0x0000000004DF0000-0x0000000004E12000-memory.dmp

memory/5032-10-0x0000000004E90000-0x0000000004EF6000-memory.dmp

memory/5032-11-0x0000000005640000-0x00000000056A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cymqpfw3.goa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5032-21-0x00000000057B0000-0x0000000005B04000-memory.dmp

memory/5032-22-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

memory/5032-23-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

memory/5032-24-0x00000000061B0000-0x00000000061F4000-memory.dmp

memory/5032-25-0x00000000070D0000-0x0000000007146000-memory.dmp

memory/5032-26-0x00000000077D0000-0x0000000007E4A000-memory.dmp

memory/5032-27-0x0000000007170000-0x000000000718A000-memory.dmp

memory/5032-28-0x000000007F310000-0x000000007F320000-memory.dmp

memory/5032-29-0x0000000007330000-0x0000000007362000-memory.dmp

memory/5032-30-0x0000000070330000-0x000000007037C000-memory.dmp

memory/5032-31-0x0000000070700000-0x0000000070A54000-memory.dmp

memory/5032-41-0x0000000007370000-0x000000000738E000-memory.dmp

memory/5032-42-0x0000000007390000-0x0000000007433000-memory.dmp

memory/5032-43-0x0000000007480000-0x000000000748A000-memory.dmp

memory/5032-44-0x0000000007590000-0x0000000007626000-memory.dmp

memory/5032-45-0x0000000007490000-0x00000000074A1000-memory.dmp

memory/5032-46-0x00000000074D0000-0x00000000074DE000-memory.dmp

memory/5032-47-0x00000000074F0000-0x0000000007504000-memory.dmp

memory/5032-48-0x0000000007530000-0x000000000754A000-memory.dmp

memory/5032-49-0x0000000007520000-0x0000000007528000-memory.dmp

memory/5032-52-0x0000000074490000-0x0000000074C40000-memory.dmp

memory/1392-54-0x0000000003BA0000-0x0000000003FA6000-memory.dmp

memory/3704-55-0x0000000003BE0000-0x0000000003FE2000-memory.dmp

memory/1392-56-0x0000000003FB0000-0x000000000489B000-memory.dmp

memory/1392-57-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3704-67-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2024-69-0x00000000060B0000-0x0000000006404000-memory.dmp

memory/2024-68-0x0000000074490000-0x0000000074C40000-memory.dmp

memory/2024-70-0x0000000005050000-0x0000000005060000-memory.dmp

memory/2024-72-0x0000000070330000-0x000000007037C000-memory.dmp

memory/2024-71-0x000000007EE80000-0x000000007EE90000-memory.dmp

memory/2024-73-0x00000000704B0000-0x0000000070804000-memory.dmp

memory/2024-84-0x0000000007770000-0x0000000007813000-memory.dmp

memory/2024-83-0x0000000005050000-0x0000000005060000-memory.dmp

memory/2024-85-0x0000000007A60000-0x0000000007A71000-memory.dmp

memory/2024-86-0x0000000007AB0000-0x0000000007AC4000-memory.dmp

memory/2024-89-0x0000000074490000-0x0000000074C40000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2744-92-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

memory/2744-91-0x0000000074490000-0x0000000074C40000-memory.dmp

memory/2744-93-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

memory/2744-103-0x0000000005CE0000-0x0000000006034000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 50bff6c9f04cf86ccd32ba18e65d436e
SHA1 27793f7688b2ec3aabfe1e6bdfc96366142576e8
SHA256 d9141d97820feccde9479bfaa7d31823352cc04abef162e279117393de3d3d02
SHA512 042172a7725b3a94e032e1ea1359a2b80fedd66992f27ab7c12ff3b36caca061321740b8b9078e70b437d784c19ad22c4aac616dc30fcf5a121533e77c68467e

memory/2744-106-0x0000000070330000-0x000000007037C000-memory.dmp

memory/2744-107-0x0000000070AE0000-0x0000000070E34000-memory.dmp

memory/1392-117-0x0000000003BA0000-0x0000000003FA6000-memory.dmp

memory/2744-119-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

memory/2744-118-0x000000007FA00000-0x000000007FA10000-memory.dmp

memory/2744-121-0x0000000074490000-0x0000000074C40000-memory.dmp

memory/2824-122-0x0000000074490000-0x0000000074C40000-memory.dmp

memory/2824-123-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ec6f2c7f6bbb0c2c25e72311ce078afd
SHA1 856ccdc7b386f18b03fa65bd4bfaad4ef46e22bb
SHA256 91900bb3bd0659584bcd9d2bc79e932e52c8ca778921f04f9fc549e936468f77
SHA512 748a3ce193cfe9e31d2c48fdf047b0aaee0bdf1f7baee5f018ad790a0c453304ba95ed23f91d43963996bba6b17857b5c480c9339ad7485ee5e548be42a59087

memory/1392-134-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2824-135-0x000000007F3E0000-0x000000007F3F0000-memory.dmp

memory/2824-136-0x0000000070330000-0x000000007037C000-memory.dmp

memory/2824-137-0x0000000070AE0000-0x0000000070E34000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9709aac66eb52e7354b6ac1ace25ddf1
SHA1 422cefdfc444f8e607986abef52c6fa4b4899b8d
SHA256 2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c
SHA512 c4de7bf94e2002a58b56efd82df8f898095376e13ead79ea58776cd70c3988b8a59a3405c9946dec5db448e6ae720f99d4be2f0319a6e4e8c12621331fb7c395

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bf7ba2012400871cab776c966f89bab8
SHA1 0a4cf44a0f205c8cb9bef9ae32a39c4328c031da
SHA256 79f44d55a3137d70b6f9d7f6bb34cc0e2eb258b9b1c9a9f57c1a8011e793a407
SHA512 4add29e2486845995cb59a26b36aece6d9d42066c783d07be8b3cfbb9cc7bee1fbc086c619c3a65fa47a05c12fbb483fac06a459d95059f802e1250849eb7e22

memory/1392-184-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 abdf0a37438686ec6d79b577f8111b58
SHA1 b95a1a2366e49f58335531dbd26e4fce026e37a0
SHA256 69c28634e4cc9dd505e9ce017d11951d380357a4390eb4017b79c1534c2481ec
SHA512 a2c21e5667cff957fde8581e234e5a33d46601bf35a1793f2d773631141b4474e8156824ec2c821a15d6384c266c531d5da0016c91d36614205bdc12563f622e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a09519dc158bebdf65a6ea4c9c6676f6
SHA1 c5c5865b6c279e1358e60282293efa439901965f
SHA256 a8812315b42e7e66361e5304528da12a1689339551784022e26389b560c29364
SHA512 789c9a4a23ed4bb84605c08ed94d1f8b778d9ce18fc63019e834c7309120e88d0faf356d3bacc4b9c547df2503a4f98c170f5ca32c2f6ddc70f168da52bd52c4

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1572-254-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4476-262-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1572-265-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1840-267-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1572-269-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1572-272-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1840-275-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1572-276-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1572-280-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1572-284-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1572-288-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1572-292-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1572-296-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1572-301-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1572-305-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1572-308-0x0000000000400000-0x0000000001DFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 19:10

Reported

2024-04-19 19:13

Platform

win11-20240412-en

Max time kernel

149s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1112 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\system32\cmd.exe
PID 2808 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2868 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2808 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\rss\csrss.exe
PID 2808 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\rss\csrss.exe
PID 2808 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe C:\Windows\rss\csrss.exe
PID 3720 wrote to memory of 4652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 4652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 4652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 700 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 788 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 788 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 788 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 412 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3720 wrote to memory of 412 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1208 wrote to memory of 4204 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 4204 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 4204 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4204 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4204 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4204 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe

"C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe

"C:\Users\Admin\AppData\Local\Temp\2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 e5f10b78-eab2-4b43-985d-4f38f807e2dd.uuid.dumppage.org udp
US 8.8.8.8:53 server10.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
BG 185.82.216.111:443 server10.dumppage.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
BG 185.82.216.111:443 server10.dumppage.org tcp
BG 185.82.216.111:443 server10.dumppage.org tcp

Files

memory/1112-1-0x0000000003D20000-0x0000000004120000-memory.dmp

memory/1112-2-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1112-3-0x0000000004120000-0x0000000004A0B000-memory.dmp

memory/4216-4-0x0000000003390000-0x00000000033C6000-memory.dmp

memory/4216-5-0x0000000073FE0000-0x0000000074791000-memory.dmp

memory/4216-6-0x0000000003420000-0x0000000003430000-memory.dmp

memory/4216-7-0x0000000005A70000-0x000000000609A000-memory.dmp

memory/4216-8-0x00000000060D0000-0x00000000060F2000-memory.dmp

memory/4216-9-0x0000000006170000-0x00000000061D6000-memory.dmp

memory/4216-10-0x0000000006250000-0x00000000062B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x0ptnoqd.vhe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4216-19-0x0000000006340000-0x0000000006697000-memory.dmp

memory/4216-20-0x0000000006860000-0x000000000687E000-memory.dmp

memory/4216-21-0x00000000068B0000-0x00000000068FC000-memory.dmp

memory/4216-22-0x0000000006E10000-0x0000000006E56000-memory.dmp

memory/4216-23-0x000000007F950000-0x000000007F960000-memory.dmp

memory/4216-24-0x0000000007D10000-0x0000000007D44000-memory.dmp

memory/4216-25-0x0000000070250000-0x000000007029C000-memory.dmp

memory/4216-26-0x00000000703E0000-0x0000000070737000-memory.dmp

memory/4216-35-0x0000000007D50000-0x0000000007D6E000-memory.dmp

memory/4216-37-0x0000000007D70000-0x0000000007E14000-memory.dmp

memory/4216-36-0x0000000003420000-0x0000000003430000-memory.dmp

memory/4216-38-0x00000000084E0000-0x0000000008B5A000-memory.dmp

memory/4216-39-0x0000000007EA0000-0x0000000007EBA000-memory.dmp

memory/4216-40-0x0000000007EE0000-0x0000000007EEA000-memory.dmp

memory/4216-41-0x0000000007FF0000-0x0000000008086000-memory.dmp

memory/4216-42-0x0000000007F00000-0x0000000007F11000-memory.dmp

memory/4216-43-0x0000000007F50000-0x0000000007F5E000-memory.dmp

memory/4216-44-0x0000000007F60000-0x0000000007F75000-memory.dmp

memory/4216-45-0x0000000007FB0000-0x0000000007FCA000-memory.dmp

memory/4216-46-0x0000000007FD0000-0x0000000007FD8000-memory.dmp

memory/4216-49-0x0000000073FE0000-0x0000000074791000-memory.dmp

memory/2808-51-0x0000000003C00000-0x0000000003FFE000-memory.dmp

memory/2808-52-0x0000000004000000-0x00000000048EB000-memory.dmp

memory/1112-53-0x0000000003D20000-0x0000000004120000-memory.dmp

memory/2808-54-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4964-63-0x0000000005ED0000-0x0000000006227000-memory.dmp

memory/1112-64-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4964-65-0x0000000073FE0000-0x0000000074791000-memory.dmp

memory/4964-66-0x0000000004E00000-0x0000000004E10000-memory.dmp

memory/4964-67-0x0000000004E00000-0x0000000004E10000-memory.dmp

memory/4964-68-0x0000000070250000-0x000000007029C000-memory.dmp

memory/4964-70-0x000000007FB20000-0x000000007FB30000-memory.dmp

memory/4964-69-0x00000000703D0000-0x0000000070727000-memory.dmp

memory/4964-79-0x00000000074D0000-0x0000000007574000-memory.dmp

memory/4964-80-0x0000000004E00000-0x0000000004E10000-memory.dmp

memory/4964-81-0x0000000004E00000-0x0000000004E10000-memory.dmp

memory/4964-82-0x0000000007810000-0x0000000007821000-memory.dmp

memory/4964-83-0x0000000007860000-0x0000000007875000-memory.dmp

memory/4964-86-0x0000000073FE0000-0x0000000074791000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3500-89-0x0000000073FE0000-0x0000000074791000-memory.dmp

memory/3500-99-0x0000000005C50000-0x0000000005FA7000-memory.dmp

memory/3500-100-0x0000000002D10000-0x0000000002D20000-memory.dmp

memory/3500-98-0x0000000002D10000-0x0000000002D20000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6d11611833fcd869e8693dc523dc7db3
SHA1 b2f75ea1b59d51843926cacf38352ca6b2793d6a
SHA256 7be8a327db2b964440b6be35b791eabb79a81a26a3ef37e5a4ef75da5f39cead
SHA512 0a4bbdd3f42757558320ca74a3fd80e3a2b34dea475db0ef96f555206acc952f3b22dffab3fff07475ad3b11cc1364b6b9f6a8ac03fd5a4b58f8e9ee6c02940b

memory/3500-104-0x00000000704A0000-0x00000000707F7000-memory.dmp

memory/3500-103-0x0000000070250000-0x000000007029C000-memory.dmp

memory/3500-102-0x000000007F2F0000-0x000000007F300000-memory.dmp

memory/3500-113-0x0000000002D10000-0x0000000002D20000-memory.dmp

memory/3500-114-0x0000000002D10000-0x0000000002D20000-memory.dmp

memory/3500-116-0x0000000073FE0000-0x0000000074791000-memory.dmp

memory/2808-117-0x0000000003C00000-0x0000000003FFE000-memory.dmp

memory/1132-118-0x0000000073FE0000-0x0000000074791000-memory.dmp

memory/1132-119-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/1132-120-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 95f0e4f83a7138c4fff4b2d90fd76cf2
SHA1 173b4e4abcd3bbd7d32e7a011be5dcaee15a8368
SHA256 46daf3f640d4c9b279678c73aad8c6436e2b1beb40a3419bac67a1f99e705e6c
SHA512 163e92c6bcd07d0899b8b11c0eb2ef6a0a7273413cbb71253ab8f8ed48f5f6c46096a9fbb6d0c13be1fd0f4ed059bd8a9c22fc68f7bb3cbb3e40ade895c1d849

memory/1132-130-0x0000000070250000-0x000000007029C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9709aac66eb52e7354b6ac1ace25ddf1
SHA1 422cefdfc444f8e607986abef52c6fa4b4899b8d
SHA256 2eeeb7f277838304a2a02b04ccc861d5bb0c7b2977d7aece244aaaca9aca530c
SHA512 c4de7bf94e2002a58b56efd82df8f898095376e13ead79ea58776cd70c3988b8a59a3405c9946dec5db448e6ae720f99d4be2f0319a6e4e8c12621331fb7c395

memory/2808-149-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a7126b805dbde9585eff09d4af1ae050
SHA1 2a927675ce0c917cb4c8743a04278e2827256fae
SHA256 828dfbab91bc37ef82bd2323932a512c5434a256dab9d59bd118699fa5406a16
SHA512 aa9d692c13eb7e14978bc34a28bc317c33644b45e71d5e2bc4673b9ccc8d2699ee60d24fed48674ee66e9bd41ff5c367b8988db855176f84f442391051697cac

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9df6aeecf04e41934a04a5265596e42a
SHA1 b4c3c98c25bde975ee300f1490541b51135d9a76
SHA256 f2b2e55a1045b3a1b74a0864375981d65df3c53a04efc17d18cda6b07a7bba8d
SHA512 52b722c8418dd628e1e4a212ab965e786ef0671244328dff84b059238645858e3cbafa0f33b36dc4230b15cd6c1b8df7dacbba3dfd736bfcdb1ab265dc3fc976

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5a440e7328bea7c170b2a4135f8696f7
SHA1 84ed43b89ea2ff9975122678671fbf47a3ebe65b
SHA256 a312cbd27d44a85c322e72c17e5431f44235b080c96ed2bb7d6c1a2224293a27
SHA512 9464157c2e3f2331d41cc298e2e5385940bad3dba9462c709aaaa953fcd567594ff0bef1251adbf7f1c0c1be2a66a29ccd06a7bdeca1b153214b09971bf5327c

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3720-241-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1208-249-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3720-251-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3720-255-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1732-256-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3720-259-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3720-263-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1732-264-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3720-267-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3720-271-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3720-275-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3720-279-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3720-282-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3720-287-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3720-291-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3720-295-0x0000000000400000-0x0000000001DFD000-memory.dmp