Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-x2g6jaaf6y
Target e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad
SHA256 e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad

Threat Level: Known bad

The file e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:20

Reported

2024-05-09 19:23

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4916 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4916 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4916 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\system32\cmd.exe
PID 4900 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\system32\cmd.exe
PID 5084 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5084 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4900 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\rss\csrss.exe
PID 4900 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\rss\csrss.exe
PID 4900 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\rss\csrss.exe
PID 628 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 628 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 628 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 628 wrote to memory of 4384 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 628 wrote to memory of 4384 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 628 wrote to memory of 4384 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 628 wrote to memory of 4680 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 628 wrote to memory of 4680 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 628 wrote to memory of 4680 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 628 wrote to memory of 2160 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 628 wrote to memory of 2160 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 856 wrote to memory of 3288 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 3288 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 3288 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3288 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3288 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3288 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe

"C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe

"C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 106.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 0dd64070-77af-4bff-b8f3-13967f87865f.uuid.dumppage.org udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server7.dumppage.org udp
BG 185.82.216.111:443 server7.dumppage.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server7.dumppage.org tcp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.111:443 server7.dumppage.org tcp

Files

memory/4916-1-0x0000000003340000-0x0000000003745000-memory.dmp

memory/4916-2-0x0000000004FF0000-0x00000000058DB000-memory.dmp

memory/4916-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/624-4-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

memory/624-5-0x0000000002510000-0x0000000002546000-memory.dmp

memory/624-6-0x0000000004CF0000-0x0000000005318000-memory.dmp

memory/624-7-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/624-8-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/624-9-0x0000000004C00000-0x0000000004C22000-memory.dmp

memory/624-11-0x0000000005470000-0x00000000054D6000-memory.dmp

memory/624-10-0x0000000005390000-0x00000000053F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlevqtsd.zj5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/624-21-0x00000000055E0000-0x0000000005934000-memory.dmp

memory/624-22-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

memory/624-23-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

memory/624-24-0x0000000006050000-0x0000000006094000-memory.dmp

memory/624-25-0x0000000006DD0000-0x0000000006E46000-memory.dmp

memory/624-27-0x0000000006E70000-0x0000000006E8A000-memory.dmp

memory/624-26-0x00000000074D0000-0x0000000007B4A000-memory.dmp

memory/624-30-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/624-29-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/624-28-0x0000000007030000-0x0000000007062000-memory.dmp

memory/624-31-0x0000000071190000-0x00000000714E4000-memory.dmp

memory/624-41-0x0000000007070000-0x000000000708E000-memory.dmp

memory/624-42-0x0000000007090000-0x0000000007133000-memory.dmp

memory/624-43-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/624-44-0x0000000007180000-0x000000000718A000-memory.dmp

memory/624-45-0x0000000007240000-0x00000000072D6000-memory.dmp

memory/624-46-0x00000000071A0000-0x00000000071B1000-memory.dmp

memory/624-47-0x00000000071E0000-0x00000000071EE000-memory.dmp

memory/624-48-0x00000000071F0000-0x0000000007204000-memory.dmp

memory/624-49-0x00000000072E0000-0x00000000072FA000-memory.dmp

memory/624-50-0x0000000007230000-0x0000000007238000-memory.dmp

memory/624-53-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/4916-55-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4916-56-0x0000000003340000-0x0000000003745000-memory.dmp

memory/4916-57-0x0000000004FF0000-0x00000000058DB000-memory.dmp

memory/1732-58-0x0000000005480000-0x00000000057D4000-memory.dmp

memory/1732-68-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/1732-69-0x00000000711D0000-0x0000000071524000-memory.dmp

memory/1732-79-0x0000000006C20000-0x0000000006CC3000-memory.dmp

memory/1732-80-0x0000000006F50000-0x0000000006F61000-memory.dmp

memory/1732-81-0x0000000006FA0000-0x0000000006FB4000-memory.dmp

memory/4916-84-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4900-83-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bc9021fb9b5f9f6ca37ea9cac09637eb
SHA1 118fabaa5ce7ce311d063378222f2856e9ee8f05
SHA256 2cd6b9cdebea5e8351b9e74251bf38b615a1d9f0178d63651bb1b62e452a02f9
SHA512 f269c4dfd3f47dd94b11ecd4077f6c350a7a60fda8bb5b795b40b321e490cf0cc18b97a16e4c6b00e94cc10d5e6a91421cee1177a9a9f4bcc42a7914d784e2b3

memory/2384-98-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/2384-99-0x00000000711D0000-0x0000000071524000-memory.dmp

memory/4108-119-0x0000000006120000-0x0000000006474000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 83df4ec9bb3ae13b6834f6d0216c4530
SHA1 1707faceec55aa2db5e932fcbd8290ff71d87a18
SHA256 83462380beecc2911ed21662a30a1b29f8a7c1fe29422ded19602fc81e13b2e1
SHA512 2b9a0d289ef5c876edcdc8af7484808b88cbf3b180f8f84bb88fac7b8f863ed8341c1f37298c2bcc1413d5998c6fe40547ee3593d2248333239f1a0dcb5f7e73

memory/4108-121-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/4108-122-0x0000000070BF0000-0x0000000070F44000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 04505522e025cf61e4592405690c9068
SHA1 73c4ab3f6e69fdfafe9e42a60aba8225160b9e44
SHA256 e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad
SHA512 162a90dc5ac145913616e4690d4278229067c8b81e0ab5c6e1f4cb92d38a005798ac9b95c51de0873998ef9f44a7c1d0ef52ee8c904537d743ee85cd06f15162

memory/4900-139-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a5d83c59bf86288097601d0151d22a7f
SHA1 e1a09362c8e21b8854582de9bd43ce81d225bdd3
SHA256 491ef0edbd85cd2f126a1fc0b04888ebf3ebf4183ae131de5370dddcde9b4228
SHA512 267ca6e144612781923032c1dc726f45bcdb213edc55eea2442cc7bdd047cd4c302806e60a4b2147a236231d08cc31f23fb537bc43c87727a1b3cfdc60e7f14b

memory/3220-150-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/3220-151-0x0000000070BF0000-0x0000000070F44000-memory.dmp

memory/4384-167-0x0000000005480000-0x00000000057D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9c0777a1cf198135aac017c967656828
SHA1 6f8bd4f975637b9e79efa46e373dba8055b4b2fa
SHA256 50e5db695313336c4411763adc889a2eaaea4c5ded511aaf4d2fc12b04bb16dc
SHA512 58ef604311221e145fbeabc3c5a5906721c4c48a3d9452a47518edf513f64dcdc920f052fd3949757e2348eb9b9fe04fda09fed538b4d7c5f2380819f2458427

memory/4384-173-0x0000000005F60000-0x0000000005FAC000-memory.dmp

memory/4384-174-0x0000000070970000-0x00000000709BC000-memory.dmp

memory/4384-175-0x0000000071120000-0x0000000071474000-memory.dmp

memory/4384-185-0x0000000006DD0000-0x0000000006E73000-memory.dmp

memory/4384-186-0x0000000007110000-0x0000000007121000-memory.dmp

memory/4384-187-0x0000000005960000-0x0000000005974000-memory.dmp

memory/4680-198-0x0000000005CD0000-0x0000000006024000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4a16fb0f218a13f2d44bf22cd843142e
SHA1 13ab31d98c29ce1ea58e9a166337352070dd341d
SHA256 9e421c7092881db7fdf54d77b851d48b4ab3c14ad7c82e117b9936eb6dba9682
SHA512 575dac479a19d1c0ff9846e3fa50cfbb7167553eda932abab12e2b8540a6bbca9fee1f868139c2b969e7151539a6999c0ea1a13376bc03f22646927abdb4c08d

memory/4680-200-0x0000000070970000-0x00000000709BC000-memory.dmp

memory/4680-201-0x0000000070AF0000-0x0000000070E44000-memory.dmp

memory/628-212-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/856-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5272-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/856-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/628-226-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/5272-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/628-232-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/628-236-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/5272-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/628-240-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/628-244-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/628-248-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/628-252-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/628-256-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/628-260-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/628-264-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/628-268-0x0000000000400000-0x0000000002EDD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:20

Reported

2024-05-09 19:23

Platform

win11-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3580 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3580 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3580 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\system32\cmd.exe
PID 1424 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\system32\cmd.exe
PID 4576 wrote to memory of 3524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4576 wrote to memory of 3524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1424 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\rss\csrss.exe
PID 1424 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\rss\csrss.exe
PID 1424 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe C:\Windows\rss\csrss.exe
PID 1060 wrote to memory of 1924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 1924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 1924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 5028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 5028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 5028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 3544 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 3544 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 3544 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 2352 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1060 wrote to memory of 2352 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2220 wrote to memory of 3060 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 3060 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 3060 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3060 wrote to memory of 896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3060 wrote to memory of 896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe

"C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe

"C:\Users\Admin\AppData\Local\Temp\e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fea10ed5-ddd0-4509-bdbb-52d4c789f22f.uuid.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.dumppage.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server3.dumppage.org tcp
US 74.125.250.129:19302 stun2.l.google.com udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.111:443 server3.dumppage.org tcp
BG 185.82.216.111:443 server3.dumppage.org tcp

Files

memory/3580-1-0x0000000003230000-0x0000000003630000-memory.dmp

memory/3580-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3580-2-0x0000000005010000-0x00000000058FB000-memory.dmp

memory/4380-4-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

memory/4380-5-0x0000000004CB0000-0x0000000004CE6000-memory.dmp

memory/4380-7-0x0000000074B30000-0x00000000752E1000-memory.dmp

memory/4380-6-0x0000000005410000-0x0000000005A3A000-memory.dmp

memory/4380-8-0x0000000074B30000-0x00000000752E1000-memory.dmp

memory/4380-9-0x0000000005A40000-0x0000000005A62000-memory.dmp

memory/4380-11-0x0000000005C10000-0x0000000005C76000-memory.dmp

memory/4380-10-0x0000000005BA0000-0x0000000005C06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a4x5w2pk.23b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4380-20-0x0000000005D80000-0x00000000060D7000-memory.dmp

memory/4380-21-0x0000000006190000-0x00000000061AE000-memory.dmp

memory/4380-22-0x00000000061B0000-0x00000000061FC000-memory.dmp

memory/4380-23-0x0000000006580000-0x00000000065C6000-memory.dmp

memory/4380-24-0x00000000075A0000-0x00000000075D4000-memory.dmp

memory/4380-26-0x0000000070F20000-0x0000000071277000-memory.dmp

memory/4380-25-0x0000000070DA0000-0x0000000070DEC000-memory.dmp

memory/4380-35-0x00000000075E0000-0x00000000075FE000-memory.dmp

memory/4380-36-0x0000000007600000-0x00000000076A4000-memory.dmp

memory/4380-38-0x0000000007730000-0x000000000774A000-memory.dmp

memory/4380-37-0x0000000007D70000-0x00000000083EA000-memory.dmp

memory/4380-39-0x0000000007770000-0x000000000777A000-memory.dmp

memory/4380-40-0x0000000007880000-0x0000000007916000-memory.dmp

memory/4380-41-0x0000000007790000-0x00000000077A1000-memory.dmp

memory/4380-42-0x00000000077E0000-0x00000000077EE000-memory.dmp

memory/4380-43-0x00000000077F0000-0x0000000007805000-memory.dmp

memory/4380-44-0x0000000007840000-0x000000000785A000-memory.dmp

memory/4380-45-0x0000000007860000-0x0000000007868000-memory.dmp

memory/4380-48-0x0000000074B30000-0x00000000752E1000-memory.dmp

memory/3580-50-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3580-51-0x0000000003230000-0x0000000003630000-memory.dmp

memory/3580-60-0x0000000005010000-0x00000000058FB000-memory.dmp

memory/2736-61-0x0000000070DA0000-0x0000000070DEC000-memory.dmp

memory/2736-62-0x0000000070F20000-0x0000000071277000-memory.dmp

memory/2736-71-0x0000000007A60000-0x0000000007B04000-memory.dmp

memory/2736-72-0x0000000007D80000-0x0000000007D91000-memory.dmp

memory/2736-73-0x0000000007DD0000-0x0000000007DE5000-memory.dmp

memory/1424-74-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2180-78-0x0000000005E40000-0x0000000006197000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 975689e04be61faa9906de15e291d07f
SHA1 9897621c387f2de8b1e48e08b3a0a4587fecceb7
SHA256 dcdf91793e906f720bf9b2d1bd4d95ea5b1ceb3fa167c595d0f57df1c17e13c8
SHA512 08890f6c6a5866604eff3fc0d4a5e970feeb10fa221478904ff0bfd45dbfd233490cb3f16764fbe412530d09f7c65e7d55cbe2354c5d0766652603085e4c1baf

memory/2180-88-0x0000000070DA0000-0x0000000070DEC000-memory.dmp

memory/2180-89-0x0000000070FF0000-0x0000000071347000-memory.dmp

memory/3580-99-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a7d0810295a9530f840e58a293f3e984
SHA1 35d49e30f8c5b93712f2b45ac30c8a74728efcd4
SHA256 485002987db5df2c8fbfd1d7a700b4fcc7f26e8ad4359c839556097bc50d1bd8
SHA512 87ffb5a1fa7f256ef187ccd60a72f7d4fcc8e923364e7deb372b13132bda95a1eac4cb82b180cc12990c712f355fd81a0e28cdfe974acb159942de88fd7ff584

memory/1388-110-0x0000000070DA0000-0x0000000070DEC000-memory.dmp

memory/1388-111-0x0000000070FF0000-0x0000000071347000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 04505522e025cf61e4592405690c9068
SHA1 73c4ab3f6e69fdfafe9e42a60aba8225160b9e44
SHA256 e8b4ebf8b325b79d06dcbae4a92fb0c7b4dd68684751c71fabc333aa7fca11ad
SHA512 162a90dc5ac145913616e4690d4278229067c8b81e0ab5c6e1f4cb92d38a005798ac9b95c51de0873998ef9f44a7c1d0ef52ee8c904537d743ee85cd06f15162

memory/1424-125-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4f81e01d0586946cc17e9bae930dd055
SHA1 cf357dc5f2cc70c3b4e13e5611aa2cdaabb27fd1
SHA256 c5ae542f9abe357241766602699732b927675dd48d266459df4212e045f9307b
SHA512 bc08c5583e5be1f226727e0b1f80fc07e971b52266f21496d974f9e01067385fd4f30135e879777ad6f7d9b05b085d04ba975cfa761b48d21d4058202370264e

memory/1924-137-0x0000000070DA0000-0x0000000070DEC000-memory.dmp

memory/1924-138-0x0000000070F20000-0x0000000071277000-memory.dmp

memory/5028-148-0x0000000005950000-0x0000000005CA7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d780cc7d5dc60af224a3abc82377abb0
SHA1 7eba684bb11b545942ee98b52d3f322ee1e1de9c
SHA256 25550da16c08452e0847572f26883512ff386596ff188d0eb693f0c3dc319f27
SHA512 041c08190896dade35b634052f9d338e0bfbd4ceb3ce46489fd0b5c84d2c9b783e2fdf5cf91b4f4a85a3ccb2c389fb8e241853daebf63b44fc16ee46e92d5574

memory/5028-158-0x00000000062D0000-0x000000000631C000-memory.dmp

memory/5028-159-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/5028-160-0x0000000070F10000-0x0000000071267000-memory.dmp

memory/5028-169-0x0000000007130000-0x00000000071D4000-memory.dmp

memory/1060-170-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/5028-171-0x00000000074D0000-0x00000000074E1000-memory.dmp

memory/5028-172-0x0000000005CE0000-0x0000000005CF5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8a62dfb41dcc6f9c9362f6e9a8a84efe
SHA1 97c8f13b461b7a4e51a6c7ab7bcf0ddc156fc99b
SHA256 b5cfd7e7c9a877b7be70731a61570405a5405ecb9457bafbda350bef5bd15a8f
SHA512 88a1542243f1c133189e924b87c1719cecb9ec1dc19a6438c7d49bdb5c3a2b9eff948c8891adf0e58c57abd21737da247fe537eae4176f5952c45f73a6eb83bf

memory/3544-183-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/3544-184-0x0000000070F10000-0x0000000071267000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1060-200-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2220-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3632-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2220-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1060-211-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3632-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1060-214-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1060-217-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3632-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1060-220-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1060-223-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1060-226-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1060-229-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1060-232-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1060-235-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1060-238-0x0000000000400000-0x0000000002EDD000-memory.dmp