Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-x84m4sea72
Target 3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5
SHA256 3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5

Threat Level: Known bad

The file 3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:32

Reported

2024-05-09 19:34

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4200 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4200 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4200 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4200 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\system32\cmd.exe
PID 4200 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\system32\cmd.exe
PID 2008 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2008 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4200 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4200 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4200 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4200 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4200 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4200 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4200 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\rss\csrss.exe
PID 4200 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\rss\csrss.exe
PID 4200 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\rss\csrss.exe
PID 3036 wrote to memory of 5072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 5072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 5072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2980 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2980 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2980 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 3856 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3036 wrote to memory of 3856 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3080 wrote to memory of 4960 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 4960 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 4960 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4960 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4960 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe

"C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe

"C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55e6345a-538a-4c33-ac4e-e970e60d1f1b.uuid.dumppage.org udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server3.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.111:443 server3.dumppage.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
BG 185.82.216.111:443 server3.dumppage.org tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
BG 185.82.216.111:443 server3.dumppage.org tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4816-1-0x0000000003310000-0x0000000003711000-memory.dmp

memory/4816-2-0x0000000004FC0000-0x00000000058AB000-memory.dmp

memory/4816-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4088-4-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

memory/4088-5-0x0000000005160000-0x0000000005196000-memory.dmp

memory/4088-6-0x00000000057D0000-0x0000000005DF8000-memory.dmp

memory/4088-7-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/4088-8-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/4816-9-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4088-10-0x0000000005780000-0x00000000057A2000-memory.dmp

memory/4088-12-0x0000000005FE0000-0x0000000006046000-memory.dmp

memory/4088-11-0x0000000005F70000-0x0000000005FD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_itpnmxsf.bnt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4088-22-0x0000000006110000-0x0000000006464000-memory.dmp

memory/4088-23-0x00000000066C0000-0x00000000066DE000-memory.dmp

memory/4088-24-0x00000000067A0000-0x00000000067EC000-memory.dmp

memory/4088-25-0x0000000007840000-0x0000000007884000-memory.dmp

memory/4088-26-0x00000000079E0000-0x0000000007A56000-memory.dmp

memory/4088-27-0x0000000008140000-0x00000000087BA000-memory.dmp

memory/4088-28-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

memory/4088-29-0x0000000007CB0000-0x0000000007CE2000-memory.dmp

memory/4088-30-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/4088-32-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/4088-31-0x0000000071290000-0x00000000715E4000-memory.dmp

memory/4088-42-0x0000000007CF0000-0x0000000007D0E000-memory.dmp

memory/4088-43-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/4088-44-0x0000000007D10000-0x0000000007DB3000-memory.dmp

memory/4088-45-0x0000000007E20000-0x0000000007E2A000-memory.dmp

memory/4088-46-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/4088-47-0x0000000007EE0000-0x0000000007F76000-memory.dmp

memory/4088-48-0x0000000007E40000-0x0000000007E51000-memory.dmp

memory/4088-49-0x0000000007E80000-0x0000000007E8E000-memory.dmp

memory/4088-50-0x0000000007E90000-0x0000000007EA4000-memory.dmp

memory/4088-51-0x0000000007F80000-0x0000000007F9A000-memory.dmp

memory/4088-52-0x0000000007ED0000-0x0000000007ED8000-memory.dmp

memory/4088-55-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/4816-57-0x0000000003310000-0x0000000003711000-memory.dmp

memory/4816-58-0x0000000004FC0000-0x00000000058AB000-memory.dmp

memory/4816-59-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4816-60-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2056-70-0x0000000005AE0000-0x0000000005E34000-memory.dmp

memory/2056-71-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/2056-72-0x0000000071440000-0x0000000071794000-memory.dmp

memory/2056-82-0x00000000072C0000-0x0000000007363000-memory.dmp

memory/2056-84-0x00000000075F0000-0x0000000007601000-memory.dmp

memory/4200-83-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2056-85-0x0000000007660000-0x0000000007674000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2104-98-0x00000000059A0000-0x0000000005CF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4555c9a730e687fa52d1f50293618fe9
SHA1 13c01c9cc4c5898404cf2084c8252ed009727fbb
SHA256 947bd37597c4303ed536628cc4d7822ecb2ce411d2b8b9eab8008641c5c57270
SHA512 60048b82678563d51066edc681e2cc3fb79b39409ca64275d7595402f1f8e3bd6ed1a5540ef55f7782d897010502d481cf26e417adcfa677234144ac63904bfe

memory/2104-100-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/2104-101-0x0000000070E40000-0x0000000071194000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b2b40f0f887f1cc41636dd424c2d1a58
SHA1 d8458d5381f05fe55fd55bbf18dffbb9ef8d356a
SHA256 4dc8a9e6542af2347c8bad62947c5c787203750e19758fae405a7e0b8792fc9e
SHA512 56778533859b4aa3cb7b1af1aa16ad0046610ac99016262b5ae553afc835e89070f6ec17cb8d383772cb42a23e05a79b002e11f2bd6e7a2bd0540a9671075ece

memory/3060-124-0x0000000070E40000-0x0000000071194000-memory.dmp

memory/3060-123-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6f4d183e5d1aab790f02bc0295e3d43e
SHA1 1326ffb83de86687ef30cd8db10c5598be84bee2
SHA256 3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5
SHA512 ac935aa0489b23892a7653547888428c583ed116223c3c2cb207a8e30f5f3f0fc671fd58cc8addc5056ccfe41ab7afcd12f1f5def809f3025c4b9c36913e5f20

memory/4200-138-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bd84e3ce93d78ab117383a901006156f
SHA1 a0fcd2742b4018bb06677cd5fd01ba6b6821c336
SHA256 349526f21ad458f79f9a17b2a25e83359703d41570cb5f9d5aeb85379f63f081
SHA512 9a48b558654676fcd601c53e586ca95a4be981e07053f524164bade9167b38703f9fd97efa5bb2549f3b1b8fbebd67ba9eedb54ae2884a0b67604a578ebf3128

memory/3036-152-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/5072-153-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

memory/5072-154-0x0000000071440000-0x0000000071794000-memory.dmp

memory/3220-174-0x0000000006370000-0x00000000066C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 15b343923f609955721e1aa423b50788
SHA1 2e473005cbcabb6bf93a9912dd4a4bb6044e125c
SHA256 377a5eb50c34cbd93cddcad3ad4b21cfa90f0d110215260534b48706177fcb74
SHA512 ed18912805245dc2a0cae9ab47049a2ed475303737335594f84487d4956e09a2c3b85fd6aa87a86357f73ff796a5f7c63252a4e9b76891c2b90833c4b2e4b6ef

memory/3220-176-0x0000000006E20000-0x0000000006E6C000-memory.dmp

memory/3220-177-0x0000000070BE0000-0x0000000070C2C000-memory.dmp

memory/3220-178-0x0000000070D60000-0x00000000710B4000-memory.dmp

memory/3220-188-0x0000000007B20000-0x0000000007BC3000-memory.dmp

memory/3220-189-0x0000000007E90000-0x0000000007EA1000-memory.dmp

memory/3220-190-0x0000000006710000-0x0000000006724000-memory.dmp

memory/2980-201-0x0000000005CD0000-0x0000000006024000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 678a89f6db42bfaa82b04420d501b5fd
SHA1 9c4f323b246c7cdc28227d7bcc5242f69f9179e8
SHA256 ccd223eb17217abf441c24138cde59a0b7af2f5bddbc24a9398c0e97b22e29ab
SHA512 a64310f3e452d27e6c5f512d139b2392c016827d885987a8a4f5c67cf2c76d4e78de1a5ac49b5ecccca40a27be53753b6e93b36466b06f82de8a0a43713dc50a

memory/2980-203-0x0000000070BE0000-0x0000000070C2C000-memory.dmp

memory/2980-204-0x0000000071370000-0x00000000716C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3036-221-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3080-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4208-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3080-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3036-232-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4208-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3036-235-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3036-238-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4208-240-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3036-241-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3036-244-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3036-246-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3036-250-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3036-253-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3036-256-0x0000000000400000-0x0000000002ED5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:32

Reported

2024-05-09 19:34

Platform

win11-20240426-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5032 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5032 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5032 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5032 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\system32\cmd.exe
PID 5032 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\system32\cmd.exe
PID 1016 wrote to memory of 1444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1016 wrote to memory of 1444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5032 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5032 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5032 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5032 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5032 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5032 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5032 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\rss\csrss.exe
PID 5032 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\rss\csrss.exe
PID 5032 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe C:\Windows\rss\csrss.exe
PID 1392 wrote to memory of 3412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 3412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 3412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 5020 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 5020 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 5020 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 4016 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 4016 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 4016 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 4852 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1392 wrote to memory of 4852 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3444 wrote to memory of 3236 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3444 wrote to memory of 3236 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3444 wrote to memory of 3236 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3236 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3236 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe

"C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe

"C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 f3e4de9a-eabc-4428-bee4-287e16deab80.uuid.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server11.dumppage.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server11.dumppage.org tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.111:443 server11.dumppage.org tcp
BG 185.82.216.111:443 server11.dumppage.org tcp

Files

memory/1940-1-0x00000000033E0000-0x00000000037DA000-memory.dmp

memory/1940-2-0x0000000005080000-0x000000000596B000-memory.dmp

memory/1940-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3744-4-0x00000000748BE000-0x00000000748BF000-memory.dmp

memory/3744-5-0x00000000054B0000-0x00000000054E6000-memory.dmp

memory/3744-6-0x0000000005C00000-0x000000000622A000-memory.dmp

memory/3744-7-0x00000000748B0000-0x0000000075061000-memory.dmp

memory/3744-8-0x00000000748B0000-0x0000000075061000-memory.dmp

memory/3744-9-0x0000000005BC0000-0x0000000005BE2000-memory.dmp

memory/3744-10-0x00000000063A0000-0x0000000006406000-memory.dmp

memory/3744-11-0x0000000006480000-0x00000000064E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojn4niex.guc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3744-20-0x00000000064F0000-0x0000000006847000-memory.dmp

memory/3744-21-0x0000000006970000-0x000000000698E000-memory.dmp

memory/3744-22-0x00000000069C0000-0x0000000006A0C000-memory.dmp

memory/3744-23-0x0000000006D80000-0x0000000006DC6000-memory.dmp

memory/3744-24-0x0000000007D80000-0x0000000007DB4000-memory.dmp

memory/3744-25-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/3744-26-0x0000000070CB0000-0x0000000071007000-memory.dmp

memory/3744-35-0x0000000007DE0000-0x0000000007DFE000-memory.dmp

memory/3744-36-0x0000000007E00000-0x0000000007EA4000-memory.dmp

memory/3744-38-0x0000000007F30000-0x0000000007F4A000-memory.dmp

memory/3744-37-0x0000000008570000-0x0000000008BEA000-memory.dmp

memory/3744-39-0x0000000007F70000-0x0000000007F7A000-memory.dmp

memory/3744-40-0x0000000008080000-0x0000000008116000-memory.dmp

memory/3744-41-0x0000000007F90000-0x0000000007FA1000-memory.dmp

memory/3744-42-0x0000000007FE0000-0x0000000007FEE000-memory.dmp

memory/3744-43-0x0000000007FF0000-0x0000000008005000-memory.dmp

memory/3744-44-0x0000000008040000-0x000000000805A000-memory.dmp

memory/3744-45-0x0000000008060000-0x0000000008068000-memory.dmp

memory/3744-48-0x00000000748B0000-0x0000000075061000-memory.dmp

memory/1940-50-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4436-59-0x0000000006410000-0x0000000006767000-memory.dmp

memory/4436-60-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/4436-61-0x0000000070CC0000-0x0000000071017000-memory.dmp

memory/4436-70-0x0000000007AD0000-0x0000000007B74000-memory.dmp

memory/1940-71-0x00000000033E0000-0x00000000037DA000-memory.dmp

memory/4436-72-0x0000000007E00000-0x0000000007E11000-memory.dmp

memory/1940-73-0x0000000005080000-0x000000000596B000-memory.dmp

memory/4436-74-0x0000000007E50000-0x0000000007E65000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d835b8fe58b372c711238e85a25a65d6
SHA1 8e9c038e12c68571c30f0c804cbae22d99e67cfd
SHA256 6c68f4da8d7fabcd4f8044c2e14fcd72b3223d8dcfe40e7dcf84368069b95adf
SHA512 e2f39cc566e1ba6b5b3d3a41bea691bc7e40f3500d27f14397600b64bd02a88ee803fbb88418bfc0149a759686d80c66afb9ea542e6df1cb61f9d20bf61cc496

memory/1952-87-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/1952-88-0x0000000070CC0000-0x0000000071017000-memory.dmp

memory/4000-104-0x00000000055E0000-0x0000000005937000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1c471c8f4a8dc28216b61243e4119c74
SHA1 ed4bd0f95ddcf40571158a7d9806ca2f7ab47628
SHA256 44980ec5a2628b6125d0dfd00a89cc79fa30a5fd6261ef9b4c47467d3de076f8
SHA512 868ed93cfac8580f16e7cad192686b4890657f56e7157ca2d2835b66844c888f8af1fc657af448e6289db957e96a8f17d27e632ea7d30231b2927c2e98be11fa

memory/4000-109-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/4000-110-0x0000000070D70000-0x00000000710C7000-memory.dmp

memory/1940-120-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5032-119-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6f4d183e5d1aab790f02bc0295e3d43e
SHA1 1326ffb83de86687ef30cd8db10c5598be84bee2
SHA256 3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5
SHA512 ac935aa0489b23892a7653547888428c583ed116223c3c2cb207a8e30f5f3f0fc671fd58cc8addc5056ccfe41ab7afcd12f1f5def809f3025c4b9c36913e5f20

memory/5032-125-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3483e1f6e0e30f7cce88b408ae8019ce
SHA1 40cb33a0515192f9feaccb94ad2aa08a6ad9e2e6
SHA256 0fe01978959d84b09381ccac4d166dd37517818e4895efab4f2e2ee1bc1238fc
SHA512 d1b8a14b5f68e89cc0b4465d9f772e9ede3100063bae651294fafdca866037c0f98e3d682b82a55f2959b66d15e161d7d627675fada3b93483aca0a5cefd494f

memory/3412-138-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/3412-139-0x0000000070D70000-0x00000000710C7000-memory.dmp

memory/5020-157-0x0000000006040000-0x0000000006397000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 75201c4362dc6ed5321e99f8aff0f520
SHA1 413cf94e2b2fcf66afb2650b8668cb26100af316
SHA256 59f44f93745da037108f7dbd224345a1cc9aa4a0a464d30137dd7cb9c8f95831
SHA512 8ef1db9c93ea70bf07abc57a535636f57d9b0c53d5b6c65f2c98d7e9fb2cc1ecfa051f25fa1d5dd26be114a1a863f3cf97bd2532fcd35fabfca3e73c95a34362

memory/5020-159-0x00000000066B0000-0x00000000066FC000-memory.dmp

memory/5020-160-0x0000000070A40000-0x0000000070A8C000-memory.dmp

memory/5020-161-0x0000000070C90000-0x0000000070FE7000-memory.dmp

memory/5020-170-0x0000000007890000-0x0000000007934000-memory.dmp

memory/5020-171-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

memory/5020-172-0x00000000063F0000-0x0000000006405000-memory.dmp

memory/4016-182-0x0000000006370000-0x00000000066C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0084f004e29ff57c3d7e2e0993c9c408
SHA1 5c86e4c7231f9a972d72b547882a63092dd21ea5
SHA256 f6da7f04bf628de968e9a33f53c699115dba181fd834e303eb666297cc49e5a9
SHA512 c55f694fe84ffdec003fdaefefdf8b073afca913f420c200c3b036c6ad6711166bf2f8d8b378526fd53eaf81e2f3d8fb7cfd80a31269971a970fb3bd85e5f8b1

memory/4016-185-0x0000000070BE0000-0x0000000070F37000-memory.dmp

memory/4016-184-0x0000000070A40000-0x0000000070A8C000-memory.dmp

memory/1392-194-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3444-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2604-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3444-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1392-205-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1392-213-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2604-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1392-216-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1392-219-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2604-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1392-222-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1392-225-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1392-228-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1392-231-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1392-234-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1392-237-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1392-240-0x0000000000400000-0x0000000002ED5000-memory.dmp