Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-ybyw2aeb85
Target dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c
SHA256 dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c

Threat Level: Known bad

The file dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:37

Reported

2024-05-09 19:40

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4712 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\system32\cmd.exe
PID 1372 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2768 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1372 wrote to memory of 5280 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 5280 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 5280 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 5448 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 5448 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 5448 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\rss\csrss.exe
PID 1372 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\rss\csrss.exe
PID 1372 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\rss\csrss.exe
PID 4608 wrote to memory of 6112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4608 wrote to memory of 6112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4608 wrote to memory of 6112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4608 wrote to memory of 4224 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4608 wrote to memory of 4224 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4608 wrote to memory of 4224 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4608 wrote to memory of 4260 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4608 wrote to memory of 4260 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4608 wrote to memory of 4260 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4608 wrote to memory of 2160 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4608 wrote to memory of 2160 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5308 wrote to memory of 4876 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5308 wrote to memory of 4876 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5308 wrote to memory of 4876 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4876 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4876 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe

"C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe

"C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 ff8cda3e-9162-4bbe-9ee4-faf9fcdcce90.uuid.dumppage.org udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server7.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.111:443 server7.dumppage.org tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server7.dumppage.org tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.111:443 server7.dumppage.org tcp

Files

memory/4712-1-0x0000000003200000-0x00000000035FA000-memory.dmp

memory/4712-2-0x0000000004FA0000-0x000000000588B000-memory.dmp

memory/4712-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5004-4-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

memory/5004-5-0x0000000003340000-0x0000000003376000-memory.dmp

memory/5004-6-0x0000000005B70000-0x0000000006198000-memory.dmp

memory/5004-7-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/5004-8-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/5004-9-0x0000000005AA0000-0x0000000005AC2000-memory.dmp

memory/5004-10-0x0000000006290000-0x00000000062F6000-memory.dmp

memory/5004-11-0x0000000006300000-0x0000000006366000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u30tw3zp.0dk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5004-17-0x0000000006370000-0x00000000066C4000-memory.dmp

memory/5004-22-0x0000000006900000-0x000000000691E000-memory.dmp

memory/5004-23-0x00000000069A0000-0x00000000069EC000-memory.dmp

memory/5004-24-0x0000000006E60000-0x0000000006EA4000-memory.dmp

memory/5004-25-0x0000000007C50000-0x0000000007CC6000-memory.dmp

memory/5004-27-0x0000000008350000-0x00000000089CA000-memory.dmp

memory/5004-28-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

memory/4712-26-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/5004-29-0x0000000007EA0000-0x0000000007ED2000-memory.dmp

memory/5004-30-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/5004-36-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/5004-42-0x0000000007EE0000-0x0000000007EFE000-memory.dmp

memory/5004-43-0x0000000007F00000-0x0000000007FA3000-memory.dmp

memory/5004-31-0x00000000711B0000-0x0000000071504000-memory.dmp

memory/5004-44-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/5004-45-0x0000000007FF0000-0x0000000007FFA000-memory.dmp

memory/5004-46-0x0000000008100000-0x0000000008196000-memory.dmp

memory/5004-47-0x0000000008000000-0x0000000008011000-memory.dmp

memory/5004-48-0x0000000008040000-0x000000000804E000-memory.dmp

memory/5004-49-0x0000000008060000-0x0000000008074000-memory.dmp

memory/5004-50-0x00000000080A0000-0x00000000080BA000-memory.dmp

memory/5004-51-0x0000000008090000-0x0000000008098000-memory.dmp

memory/5004-54-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/4712-56-0x0000000003200000-0x00000000035FA000-memory.dmp

memory/4712-57-0x0000000004FA0000-0x000000000588B000-memory.dmp

memory/4148-58-0x00000000059F0000-0x0000000005D44000-memory.dmp

memory/4712-69-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4712-68-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4148-70-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/4148-71-0x00000000711D0000-0x0000000071524000-memory.dmp

memory/4148-81-0x0000000007220000-0x00000000072C3000-memory.dmp

memory/4148-82-0x0000000007550000-0x0000000007561000-memory.dmp

memory/4148-83-0x00000000075A0000-0x00000000075B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d5a9c1dd9948482d3cdbcf16b951f924
SHA1 53cdcff558817e80d77ccbbe39909fe36f18828a
SHA256 a7b22c3accb835ee413ab43989200154806693be9500a0cb9846f4d0614641d4
SHA512 5179625c95abdb7de75afb046ee24555aae41b8860328e9e90e78f9f29259e5132dd878258e96ab6c36bb948754ee2005d04439694238264ecd9b33fce7f6960

memory/1372-97-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/5280-98-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/5280-99-0x00000000711D0000-0x0000000071524000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bfdb8b39c378632c0b3342db1c480072
SHA1 c0e10576831036fee38b7289e24eca48cf4ad326
SHA256 94d7007a9a3dc1dd6731951d3bd5e7652a1b7db4aaa727746e968bc399041647
SHA512 8b0066ed94f0953b19aeedc15f28384a1bb038310edcd8663c8153e97a2e3b6e0469c75e482bb4ed69b8d9fcf8d4e789f4c9d568cec2ddd428faa60940bedff2

memory/5448-120-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/5448-121-0x00000000711D0000-0x0000000071524000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5bc632336f927d43a3941ed6fef39239
SHA1 8579a041b5550d17694e892e17aaee7aa960cd77
SHA256 dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c
SHA512 b4c0c1ed46591d14f373ca6b3b8f421da9427e92315a11539ee8eac6667c4dabea2bbde88a8d940de157ee54864cd7b495a7ea2e4cee937b4ff5c5a0d725aa0e

memory/1372-135-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e40a629959f2dc7e46aa93cabb057fe0
SHA1 f0fe5ab0eeca5cfe353f72b085cbf86035434755
SHA256 5789c98d20d03092705c53110fbcf864ba507c2b22de1bf1324b3c32a8996a80
SHA512 b6ae92ed6527a7c34c5304fe795c9b3c89fa1dbc117e277565e9515acaaa9c84ccd84fbf865c250428d223326ae9da7b74d0965f6490f62431822b8fc60eeca7

memory/6112-149-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/6112-150-0x00000000711D0000-0x0000000071524000-memory.dmp

memory/4608-161-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4224-163-0x00000000057E0000-0x0000000005B34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d82a95c81adaa5532c1b08716a93dce1
SHA1 6233ae631132590bb8e53a0064924a23619b9bf3
SHA256 829fad27903042a696806699d68ccddb5c6418111ca4d6b58bfaff65be56349e
SHA512 b08847faee31fe3723224d0af17e1b4bd969c0947cf0c4c650b859e514e6ad8b4896db6a31be9fdb87d6eb3b5a45c0cc03d835861cf3a0d7f4178b2711d3fc29

memory/4224-174-0x0000000006000000-0x000000000604C000-memory.dmp

memory/4224-175-0x0000000070970000-0x00000000709BC000-memory.dmp

memory/4224-176-0x0000000071100000-0x0000000071454000-memory.dmp

memory/4224-186-0x00000000070B0000-0x0000000007153000-memory.dmp

memory/4224-187-0x0000000007290000-0x00000000072A1000-memory.dmp

memory/4224-188-0x0000000005C80000-0x0000000005C94000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3fbccb855e333971951b36ecd971b87e
SHA1 30ba19cc8415c5c9098e37a1143701d69ec8a05f
SHA256 d8a366bfbb1ad98f76ba394f0e0afc4b6bc28b668d25a0513c7b9ddba01abd52
SHA512 944678e71d530e5a531aaadadd02cb63be1a110fc9f8460cba8b4d820499279c76083c80c47738673faebb78a7b56d6e724e58ab8e88a50ea3933848653aca10

memory/4260-200-0x0000000070970000-0x00000000709BC000-memory.dmp

memory/4260-201-0x0000000071100000-0x0000000071454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4608-218-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5308-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5308-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5028-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4608-229-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/5028-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4608-232-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4608-235-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/5028-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4608-237-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4608-240-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4608-244-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4608-247-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4608-250-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4608-252-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4608-255-0x0000000000400000-0x0000000002ED5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:37

Reported

2024-05-09 19:39

Platform

win11-20240426-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3584 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\system32\cmd.exe
PID 2608 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\system32\cmd.exe
PID 1092 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1092 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2608 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\rss\csrss.exe
PID 2608 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\rss\csrss.exe
PID 2608 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe C:\Windows\rss\csrss.exe
PID 828 wrote to memory of 2396 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 2396 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 2396 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 4284 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 4284 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 4284 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 4556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 4556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 4556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 3856 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 828 wrote to memory of 3856 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1556 wrote to memory of 640 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 640 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 640 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 640 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 640 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe

"C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe

"C:\Users\Admin\AppData\Local\Temp\dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 6b4bae8b-dd9d-447a-9d96-59838d93e43b.uuid.dumppage.org udp
US 8.8.8.8:53 server7.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun4.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server7.dumppage.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server7.dumppage.org tcp
BG 185.82.216.111:443 server7.dumppage.org tcp

Files

memory/3584-1-0x0000000003380000-0x0000000003787000-memory.dmp

memory/3584-2-0x0000000005030000-0x000000000591B000-memory.dmp

memory/3584-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2076-4-0x000000007488E000-0x000000007488F000-memory.dmp

memory/2076-5-0x0000000003390000-0x00000000033C6000-memory.dmp

memory/2076-6-0x0000000074880000-0x0000000075031000-memory.dmp

memory/2076-7-0x0000000005CA0000-0x00000000062CA000-memory.dmp

memory/2076-8-0x0000000005990000-0x00000000059B2000-memory.dmp

memory/2076-9-0x0000000005C30000-0x0000000005C96000-memory.dmp

memory/2076-10-0x00000000062D0000-0x0000000006336000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mj1cbzur.4o1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2076-11-0x0000000074880000-0x0000000075031000-memory.dmp

memory/2076-20-0x0000000006340000-0x0000000006697000-memory.dmp

memory/2076-21-0x0000000006830000-0x000000000684E000-memory.dmp

memory/2076-22-0x00000000068E0000-0x000000000692C000-memory.dmp

memory/2076-23-0x0000000006DB0000-0x0000000006DF6000-memory.dmp

memory/2076-24-0x0000000007C40000-0x0000000007C74000-memory.dmp

memory/2076-36-0x0000000007CC0000-0x0000000007D64000-memory.dmp

memory/2076-35-0x0000000007CA0000-0x0000000007CBE000-memory.dmp

memory/2076-26-0x0000000070C70000-0x0000000070FC7000-memory.dmp

memory/2076-25-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/2076-38-0x0000000007E70000-0x0000000007E8A000-memory.dmp

memory/2076-39-0x0000000007EB0000-0x0000000007EBA000-memory.dmp

memory/2076-37-0x00000000084B0000-0x0000000008B2A000-memory.dmp

memory/2076-40-0x0000000007F70000-0x0000000008006000-memory.dmp

memory/2076-41-0x0000000007EE0000-0x0000000007EF1000-memory.dmp

memory/2076-42-0x0000000007F20000-0x0000000007F2E000-memory.dmp

memory/2076-43-0x0000000007F30000-0x0000000007F45000-memory.dmp

memory/2076-44-0x0000000008030000-0x000000000804A000-memory.dmp

memory/2076-45-0x0000000008010000-0x0000000008018000-memory.dmp

memory/2076-48-0x0000000074880000-0x0000000075031000-memory.dmp

memory/3584-50-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3584-51-0x0000000003380000-0x0000000003787000-memory.dmp

memory/4640-60-0x0000000005A50000-0x0000000005DA7000-memory.dmp

memory/4640-61-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/4640-62-0x0000000070D40000-0x0000000071097000-memory.dmp

memory/4640-71-0x0000000007190000-0x0000000007234000-memory.dmp

memory/4640-72-0x00000000074B0000-0x00000000074C1000-memory.dmp

memory/4640-73-0x0000000007500000-0x0000000007515000-memory.dmp

memory/3584-76-0x0000000005030000-0x000000000591B000-memory.dmp

memory/2608-75-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bf78c138339d05cc1955b4dcea3895dc
SHA1 41ded54a1328e39a62f07a284061ce27813a8892
SHA256 ecbec28abb4956792b052fb69c45a947d44fe78f96baa1d62f3ee5bd3f81beaa
SHA512 d4d3f73b276bcd4a1877d845f45fec3f338be6c3248390e71fedce035f286a2f1af5dec32f8e880de18bf93975da426b8295d5ef00bf828770128b1adaeae78a

memory/1748-89-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/1748-90-0x0000000070C70000-0x0000000070FC7000-memory.dmp

memory/3584-99-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e911cd315add4c027a8fe72df99ed807
SHA1 8b2fd51603627312e17db00e59636a9054884caf
SHA256 89fc31421ac7d2949e6d5ef2304a3915021a3bd1c41dccf731567d192d9de316
SHA512 c07c6ddeb2b09cc965aaa6ee368c6a8d2fa37f074ff73a2f1c93f08a8d5dcfd2961cdd2277e0dfc3906b1defd420c23cf374bfbe23194e4711899f1fc3995c63

memory/2460-110-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/2460-111-0x0000000070D40000-0x0000000071097000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5bc632336f927d43a3941ed6fef39239
SHA1 8579a041b5550d17694e892e17aaee7aa960cd77
SHA256 dcbf1f165a1a28cd390a12b5161ac6f08306072e4e30afe3141e85d628b1066c
SHA512 b4c0c1ed46591d14f373ca6b3b8f421da9427e92315a11539ee8eac6667c4dabea2bbde88a8d940de157ee54864cd7b495a7ea2e4cee937b4ff5c5a0d725aa0e

memory/2608-124-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2396-136-0x00000000057C0000-0x0000000005B17000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d24824d08421ff57d5c885ca470a4259
SHA1 0ecfda263a5ae71c6806b873fd0c127c01e0ee72
SHA256 6e70508de4ccccd843ec7761d9e1a88fa8a00df5a4e8f3b47a2cecc1d4f95dfb
SHA512 85200e5beb73c46b8bd884a661e77df59da0e4ff32ccbd540cbded3eb12073f2029a2043a05ba60db2bb685c20cec6bd01e5ce46781e09c8d1d828d95350b2d7

memory/2396-138-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/2396-139-0x0000000070C90000-0x0000000070FE7000-memory.dmp

memory/4284-157-0x0000000006320000-0x0000000006677000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 51d9ce9c2f1f44e88f866b5587912384
SHA1 d3a84a28c8ee6ef90609670e3d98d2dc6f507ba5
SHA256 f5f2d152283beac485594985d474c03733e06258432b510e12370917ebb7b71d
SHA512 068962f73bd6ed55f1849c2de8873eb2ffc2e23142ac60d8934b146762c865a48e1439ca9e6c213fe3ade27c5881c21b455f7382b5ead2c1b45f4f51104c6fba

memory/4284-159-0x0000000006D10000-0x0000000006D5C000-memory.dmp

memory/4284-160-0x0000000070A10000-0x0000000070A5C000-memory.dmp

memory/4284-171-0x0000000007A20000-0x0000000007AC4000-memory.dmp

memory/4284-162-0x0000000070B90000-0x0000000070EE7000-memory.dmp

memory/828-161-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4284-172-0x0000000007D60000-0x0000000007D71000-memory.dmp

memory/4284-173-0x0000000006240000-0x0000000006255000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 aa83558dedc7acece9c00b1728e1d4b7
SHA1 73728c0e941eb83f13d352b64931c5d84f7d6a75
SHA256 1764818befdd71d4718d367970dc474259704dac4caecd51075bcefeb9ce85d6
SHA512 eba53415150b417281b88289b8c99303b8e1d33b94e27f77435ad859f3893135e17a5462fc9e48bf0c8929fd2a7d19b5a89a3cb133c9cfa9c797e6c5b7adbba8

memory/4556-184-0x0000000070A10000-0x0000000070A5C000-memory.dmp

memory/4556-185-0x0000000070B90000-0x0000000070EE7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/828-201-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1556-206-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4916-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1556-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/828-212-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4916-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/828-215-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/828-218-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4916-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/828-221-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/828-224-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/828-227-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/828-230-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/828-233-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/828-236-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/828-239-0x0000000000400000-0x0000000002ED5000-memory.dmp