Malware Analysis Report

2025-01-02 06:29

Sample ID 240515-3l24naac55
Target affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3
SHA256 affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3

Threat Level: Known bad

The file affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:36

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:36

Reported

2024-05-15 23:39

Platform

win11-20240426-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\system32\cmd.exe
PID 3816 wrote to memory of 3088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3816 wrote to memory of 3088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1752 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\rss\csrss.exe
PID 1752 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\rss\csrss.exe
PID 1752 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\rss\csrss.exe
PID 4008 wrote to memory of 4272 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4008 wrote to memory of 4272 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4008 wrote to memory of 4272 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4008 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4008 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4008 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4008 wrote to memory of 1556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4008 wrote to memory of 1556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4008 wrote to memory of 1556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4008 wrote to memory of 2352 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4008 wrote to memory of 2352 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3424 wrote to memory of 3780 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 3780 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 3780 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3780 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3780 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe

"C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe

"C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdc7cc28-a5c4-4928-aa24-6a1d4580d3d1.uuid.datadumpcloud.org udp
US 8.8.8.8:53 server14.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.104:443 server14.datadumpcloud.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.104:443 server14.datadumpcloud.org tcp
BG 185.82.216.104:443 server14.datadumpcloud.org tcp

Files

memory/4764-1-0x00000000048D0000-0x0000000004CD0000-memory.dmp

memory/4764-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4764-2-0x0000000004CD0000-0x00000000055BB000-memory.dmp

memory/584-4-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

memory/584-5-0x0000000004C10000-0x0000000004C46000-memory.dmp

memory/584-6-0x00000000053A0000-0x00000000059CA000-memory.dmp

memory/584-7-0x0000000074D30000-0x00000000754E1000-memory.dmp

memory/584-8-0x0000000005200000-0x0000000005222000-memory.dmp

memory/584-9-0x0000000005AD0000-0x0000000005B36000-memory.dmp

memory/584-10-0x0000000005B40000-0x0000000005BA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_voyfu40h.sxr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/584-16-0x0000000074D30000-0x00000000754E1000-memory.dmp

memory/584-20-0x0000000005BB0000-0x0000000005F07000-memory.dmp

memory/584-21-0x00000000060A0000-0x00000000060BE000-memory.dmp

memory/584-22-0x0000000006630000-0x000000000667C000-memory.dmp

memory/584-23-0x0000000007280000-0x00000000072C6000-memory.dmp

memory/584-25-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

memory/584-24-0x00000000074B0000-0x00000000074E4000-memory.dmp

memory/584-27-0x0000000071120000-0x0000000071477000-memory.dmp

memory/584-36-0x0000000007510000-0x000000000752E000-memory.dmp

memory/584-37-0x0000000007530000-0x00000000075D4000-memory.dmp

memory/584-26-0x0000000074D30000-0x00000000754E1000-memory.dmp

memory/584-38-0x0000000074D30000-0x00000000754E1000-memory.dmp

memory/584-39-0x0000000007CA0000-0x000000000831A000-memory.dmp

memory/584-40-0x0000000007660000-0x000000000767A000-memory.dmp

memory/584-41-0x00000000076A0000-0x00000000076AA000-memory.dmp

memory/584-42-0x00000000077B0000-0x0000000007846000-memory.dmp

memory/584-43-0x00000000076C0000-0x00000000076D1000-memory.dmp

memory/584-44-0x0000000007710000-0x000000000771E000-memory.dmp

memory/584-45-0x0000000007720000-0x0000000007735000-memory.dmp

memory/584-46-0x0000000007770000-0x000000000778A000-memory.dmp

memory/584-47-0x0000000007790000-0x0000000007798000-memory.dmp

memory/584-50-0x0000000074D30000-0x00000000754E1000-memory.dmp

memory/4764-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4764-53-0x00000000048D0000-0x0000000004CD0000-memory.dmp

memory/4764-54-0x0000000004CD0000-0x00000000055BB000-memory.dmp

memory/2876-63-0x0000000005FC0000-0x0000000006317000-memory.dmp

memory/2876-64-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

memory/2876-65-0x00000000711F0000-0x0000000071547000-memory.dmp

memory/2876-74-0x00000000076B0000-0x0000000007754000-memory.dmp

memory/2876-75-0x00000000079D0000-0x00000000079E1000-memory.dmp

memory/2876-76-0x0000000007A20000-0x0000000007A35000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 53631543bde57a55cc4bed1809e2e569
SHA1 2fb44c0899443e86d21c15f92863837721340775
SHA256 746ee65566dc74aa58ad491fb25b14a9387c243a9824e195c494105233498958
SHA512 e6df49dc3022040cffd3e93bb49b90c7b5fa97a54857163b5b8b7644fb9c984f266607f7f587c4a87725ed2de83e2387b75d7dfe2d1ceb92bee703f201d88fd3

memory/2612-91-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

memory/4764-92-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2612-93-0x0000000071120000-0x0000000071477000-memory.dmp

memory/1752-90-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 394c95fc00e619a30e5c14364fb1967a
SHA1 ffa82b22ae62c105aeb804e606e1d8d6b4444a28
SHA256 8b9c3501190ee07ca5e32f13bfe84878d62d33da353d2fa5d253817aa96ddfcc
SHA512 8d76aa5876494989b968ce1cd678406bb0cb050eb98e8e9dd2156d6e6c067f7f8fcb6aef8b880b222fece5967382113d31740e6699c4f2975a7396c997bdc322

memory/2388-113-0x00000000711F0000-0x0000000071547000-memory.dmp

memory/2388-112-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 bba9d5e991359022bc40745ee861cd26
SHA1 baf34d9d483bea0bc6ed4d4b879a30633ce15ffb
SHA256 affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3
SHA512 abbd034fa4806f9a3b98e3760db6785f719b8b43366f6ff50cd0254ed65c09f5baf2f78e284ce26fd2e88656ae87b0e93f7360be93a92c776ebfc5b1fb831135

memory/1752-129-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 49ed9dd2a60f9d191d6d4aeff87cce76
SHA1 759e031d2f9be55ebb255f0d097701525e7caa81
SHA256 739883d6c3e45d5418c8172aa3f20c37070e371b0858b3fbde2ad7c435f12559
SHA512 86632a6d311234b59f5a8448d976b20169681f8d3ceae08ae70a76195f4f4ae8e043312e82e95dd8f59beb61f50d17b553c801cb76cf0f23328cd8e1810e3c30

memory/4272-139-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

memory/4272-140-0x00000000711F0000-0x0000000071547000-memory.dmp

memory/4684-158-0x0000000005DC0000-0x0000000006117000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6dca00c5db3322c5bcb940414bbc45e7
SHA1 decf4dc094f42ff40f13d8f1257794e360ae86f2
SHA256 01ebaca7d3bff0b0d596a85d1a5c23f43e95a47301794e0e5a2c7f3257758b31
SHA512 512fcf9184be9f8cafea612a7af0f7f5511db941a5c43ebd2d221c4b845e3d02251c2e799ad3c5405398607e622f1a312f7563922c66b9ec1abbd48e4a55f169

memory/4684-160-0x0000000006850000-0x000000000689C000-memory.dmp

memory/4008-161-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4684-162-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

memory/4684-163-0x0000000071040000-0x0000000071397000-memory.dmp

memory/4684-172-0x0000000007540000-0x00000000075E4000-memory.dmp

memory/4684-173-0x0000000007890000-0x00000000078A1000-memory.dmp

memory/4684-174-0x0000000005CB0000-0x0000000005CC5000-memory.dmp

memory/1556-184-0x0000000005F90000-0x00000000062E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7d351eb13835dec52e5fb3022efefa97
SHA1 f431fff8b2d5b05a2a5f307c2570647ce7da5e28
SHA256 0f808bae91ac5222968c69408fecda314beb532a0b24302de9c239a4dab34306
SHA512 ce6469b3ca114938538ebf13c53dec722388ce0b5aeeca3b59cde9198568977ae339579677c8028ae17b43730c6f0ddc1e12775195f08d5f4c635e41c015de51

memory/1556-187-0x0000000071110000-0x0000000071467000-memory.dmp

memory/1556-186-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4008-204-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3424-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3144-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3424-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4008-216-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3144-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4008-220-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4008-224-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3144-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4008-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4008-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4008-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4008-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4008-244-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4008-248-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4008-252-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:36

Reported

2024-05-15 23:39

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4716 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4716 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4716 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\system32\cmd.exe
PID 1896 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\system32\cmd.exe
PID 2008 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2008 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1896 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\rss\csrss.exe
PID 1896 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\rss\csrss.exe
PID 1896 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe C:\Windows\rss\csrss.exe
PID 1556 wrote to memory of 828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 2068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 2068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 2068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 2444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 2444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 2444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 3264 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1556 wrote to memory of 3264 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2172 wrote to memory of 1600 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 1600 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 1600 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1600 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1600 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe

"C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe

"C:\Users\Admin\AppData\Local\Temp\affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 58196d6c-9f63-4b56-91aa-652dccba1e95.uuid.datadumpcloud.org udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.datadumpcloud.org udp
US 74.125.250.129:19302 stun1.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server3.datadumpcloud.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.104:443 server3.datadumpcloud.org tcp
BG 185.82.216.104:443 server3.datadumpcloud.org tcp

Files

memory/4716-1-0x0000000004870000-0x0000000004C6D000-memory.dmp

memory/4716-2-0x0000000004C70000-0x000000000555B000-memory.dmp

memory/4716-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/852-4-0x00000000741CE000-0x00000000741CF000-memory.dmp

memory/852-5-0x0000000005240000-0x0000000005276000-memory.dmp

memory/852-6-0x00000000741C0000-0x0000000074970000-memory.dmp

memory/852-7-0x0000000005A20000-0x0000000006048000-memory.dmp

memory/852-8-0x0000000005860000-0x0000000005882000-memory.dmp

memory/852-9-0x0000000006140000-0x00000000061A6000-memory.dmp

memory/852-10-0x00000000061B0000-0x0000000006216000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_do1z205j.qvt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/852-20-0x0000000006220000-0x0000000006574000-memory.dmp

memory/852-21-0x00000000068A0000-0x00000000068BE000-memory.dmp

memory/852-22-0x0000000006930000-0x000000000697C000-memory.dmp

memory/852-23-0x0000000006E20000-0x0000000006E64000-memory.dmp

memory/852-24-0x0000000007BC0000-0x0000000007C36000-memory.dmp

memory/852-25-0x00000000082C0000-0x000000000893A000-memory.dmp

memory/852-26-0x0000000007C60000-0x0000000007C7A000-memory.dmp

memory/852-27-0x0000000007E00000-0x0000000007E32000-memory.dmp

memory/852-28-0x0000000070060000-0x00000000700AC000-memory.dmp

memory/852-29-0x00000000741C0000-0x0000000074970000-memory.dmp

memory/852-30-0x00000000707A0000-0x0000000070AF4000-memory.dmp

memory/852-40-0x0000000007E40000-0x0000000007E5E000-memory.dmp

memory/852-41-0x0000000007E60000-0x0000000007F03000-memory.dmp

memory/852-42-0x00000000741C0000-0x0000000074970000-memory.dmp

memory/852-43-0x0000000007F50000-0x0000000007F5A000-memory.dmp

memory/852-44-0x0000000008070000-0x0000000008106000-memory.dmp

memory/852-45-0x0000000007F70000-0x0000000007F81000-memory.dmp

memory/852-46-0x0000000007FB0000-0x0000000007FBE000-memory.dmp

memory/852-47-0x0000000007FD0000-0x0000000007FE4000-memory.dmp

memory/852-48-0x0000000008010000-0x000000000802A000-memory.dmp

memory/852-49-0x0000000008000000-0x0000000008008000-memory.dmp

memory/852-52-0x00000000741C0000-0x0000000074970000-memory.dmp

memory/4716-55-0x0000000004870000-0x0000000004C6D000-memory.dmp

memory/4716-54-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4716-56-0x0000000004C70000-0x000000000555B000-memory.dmp

memory/4716-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2548-59-0x0000000005F50000-0x00000000062A4000-memory.dmp

memory/2548-69-0x0000000070060000-0x00000000700AC000-memory.dmp

memory/2548-70-0x00000000707E0000-0x0000000070B34000-memory.dmp

memory/2548-80-0x00000000077A0000-0x0000000007843000-memory.dmp

memory/1896-81-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2548-82-0x0000000007AB0000-0x0000000007AC1000-memory.dmp

memory/2548-83-0x0000000007B00000-0x0000000007B14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 be74936dc055815d26490e7a36d13525
SHA1 2bd8281354e9ef7ddb41e3a41abb604dce854d59
SHA256 5ec42fc496aeec47f57c8273546ad535444cd787ebb21febd02ed830f4eeaf05
SHA512 755729abe063496e73f0ba3d39d7e6cabe7a5e151adc474ef333fadd86e88651497313910ce208bda93fc8bfc30f1d97d5122569dff3e7a243390dd25217adf8

memory/4728-97-0x0000000070060000-0x00000000700AC000-memory.dmp

memory/4728-98-0x00000000707E0000-0x0000000070B34000-memory.dmp

memory/3852-118-0x0000000005A20000-0x0000000005D74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 501e379a0a75f189abad6df6ed93e7d2
SHA1 d039042ef486f18aef4f772a3f13cc2244a2d44e
SHA256 6aaffd1448dcae38affd705b91ee8a3f894bc83d51e8873b72b70f4f8e849977
SHA512 9ab332aaf4d82e609cf67e75d3f8275fd6ef0815f4b7e48dca97bd5f129eff3ac9b0b5b4fe1aa1ca752618685f4138e8111e1e30ece91a1bbd91e44a6a1cd862

memory/3852-120-0x0000000070060000-0x00000000700AC000-memory.dmp

memory/3852-121-0x00000000701E0000-0x0000000070534000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 bba9d5e991359022bc40745ee861cd26
SHA1 baf34d9d483bea0bc6ed4d4b879a30633ce15ffb
SHA256 affef6198803d2326f4528dc165fdb88c197072eeac42f88881196e229bffad3
SHA512 abbd034fa4806f9a3b98e3760db6785f719b8b43366f6ff50cd0254ed65c09f5baf2f78e284ce26fd2e88656ae87b0e93f7360be93a92c776ebfc5b1fb831135

memory/1896-138-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 712b22f248011bf8857a258c2f6ccf01
SHA1 50b46544a6ea6771171402ca72f2b7f3aafab772
SHA256 c4daeb9527ed05677d535ce1b72611bb43f7507ca391cbb1a1332bffe8de9c1f
SHA512 aee7e10947e6240d3e6d44728490985c26d5a48d4fda36bc295a8196d8f2314c4d06496b37cd2ae6d74876b94937aa9d2f85a97865b457eefa0e23f48185c8d4

memory/828-151-0x0000000070060000-0x00000000700AC000-memory.dmp

memory/828-152-0x00000000707E0000-0x0000000070B34000-memory.dmp

memory/2068-172-0x0000000005630000-0x0000000005984000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 78ca64bbb70a83a40b6a5bc7ab774ae7
SHA1 902894fe7bb873371274b2db628ad43a3fc5f712
SHA256 3dec1d27df65a5a0639c2a556fc19c8489181c3032264973aa3c4e2d7c51ed55
SHA512 844962434d1fd4b4948c901afacd7e5c51f83ab839f09b1c0e84ed2590db21026b2ee685451f8deb30af65dfc2b34cffdb8296fb4eaeb4b429b6c48f2eaa1c08

memory/2068-174-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

memory/2068-175-0x000000006FF80000-0x000000006FFCC000-memory.dmp

memory/2068-176-0x0000000070710000-0x0000000070A64000-memory.dmp

memory/2068-186-0x0000000006EE0000-0x0000000006F83000-memory.dmp

memory/2068-187-0x0000000007230000-0x0000000007241000-memory.dmp

memory/2068-188-0x0000000005AB0000-0x0000000005AC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f46e2a1bb3fd2ec73da1f5f8001e413d
SHA1 18c728162de8d576c8d752c32f21a86d88067a7c
SHA256 bdf88664e0c11b4a5a1494c63a7f1db11ed4871576ddde44063ef210dbe27fc4
SHA512 e144394640fe2e29519825d5a56d0ba651b5589905156aaa9b9015ea27b9070385a39f06417ce9f5114fec1b0393b965532bd94f147745f9176815f3af926b93

memory/2444-200-0x000000006FF80000-0x000000006FFCC000-memory.dmp

memory/2444-201-0x0000000070710000-0x0000000070A64000-memory.dmp

memory/1556-214-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2172-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3668-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1556-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2172-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3668-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1556-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1556-238-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1556-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3668-243-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1556-246-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1556-250-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1556-254-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1556-258-0x0000000000400000-0x0000000002B0B000-memory.dmp