Malware Analysis Report

2025-01-02 06:28

Sample ID 240516-e3pmwscc57
Target 8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1
SHA256 8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1

Threat Level: Known bad

The file 8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 04:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 04:28

Reported

2024-05-16 04:30

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 460 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 460 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 460 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\system32\cmd.exe
PID 3892 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\system32\cmd.exe
PID 4840 wrote to memory of 4684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4840 wrote to memory of 4684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3892 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\rss\csrss.exe
PID 3892 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\rss\csrss.exe
PID 3892 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\rss\csrss.exe
PID 3360 wrote to memory of 1892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 1892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 1892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 1428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 1428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 1428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 3776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 3776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 3776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 3444 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3360 wrote to memory of 3444 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2316 wrote to memory of 1972 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1972 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1972 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1972 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1972 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe

"C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe

"C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
BE 88.221.83.242:443 www.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 242.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 88.221.83.242:443 www.bing.com tcp
US 8.8.8.8:53 f9ee42ff-cfef-4c2f-895b-a5e19f120505.uuid.dumppage.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server6.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.111:443 server6.dumppage.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 185.82.216.111:443 server6.dumppage.org tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BG 185.82.216.111:443 server6.dumppage.org tcp

Files

memory/460-1-0x0000000002940000-0x0000000002D43000-memory.dmp

memory/460-2-0x0000000002D50000-0x000000000363B000-memory.dmp

memory/460-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1616-4-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

memory/1616-5-0x0000000003030000-0x0000000003066000-memory.dmp

memory/1616-6-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/1616-8-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/1616-7-0x0000000005880000-0x0000000005EA8000-memory.dmp

memory/1616-9-0x0000000005680000-0x00000000056A2000-memory.dmp

memory/1616-11-0x0000000006020000-0x0000000006086000-memory.dmp

memory/1616-10-0x0000000005FB0000-0x0000000006016000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mmtm3kk3.30e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1616-21-0x0000000006190000-0x00000000064E4000-memory.dmp

memory/1616-22-0x0000000006610000-0x000000000662E000-memory.dmp

memory/1616-23-0x0000000006650000-0x000000000669C000-memory.dmp

memory/1616-24-0x0000000007790000-0x00000000077D4000-memory.dmp

memory/1616-25-0x0000000007940000-0x00000000079B6000-memory.dmp

memory/1616-27-0x00000000079E0000-0x00000000079FA000-memory.dmp

memory/1616-26-0x0000000008040000-0x00000000086BA000-memory.dmp

memory/1616-28-0x0000000007BA0000-0x0000000007BD2000-memory.dmp

memory/1616-41-0x0000000007BE0000-0x0000000007BFE000-memory.dmp

memory/1616-31-0x0000000070D40000-0x0000000071094000-memory.dmp

memory/1616-42-0x0000000007C00000-0x0000000007CA3000-memory.dmp

memory/1616-30-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/1616-29-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/1616-44-0x0000000007CF0000-0x0000000007CFA000-memory.dmp

memory/1616-43-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/1616-45-0x0000000007E00000-0x0000000007E96000-memory.dmp

memory/1616-46-0x0000000007D00000-0x0000000007D11000-memory.dmp

memory/1616-47-0x0000000007D40000-0x0000000007D4E000-memory.dmp

memory/1616-48-0x0000000007D60000-0x0000000007D74000-memory.dmp

memory/1616-49-0x0000000007DB0000-0x0000000007DCA000-memory.dmp

memory/1616-50-0x0000000007DA0000-0x0000000007DA8000-memory.dmp

memory/1616-53-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/3892-55-0x00000000029D0000-0x0000000002DCF000-memory.dmp

memory/460-56-0x0000000002940000-0x0000000002D43000-memory.dmp

memory/1804-66-0x0000000006330000-0x0000000006684000-memory.dmp

memory/1804-68-0x0000000070D60000-0x00000000710B4000-memory.dmp

memory/1804-78-0x0000000007A50000-0x0000000007AF3000-memory.dmp

memory/1804-67-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/1804-79-0x0000000007D70000-0x0000000007D81000-memory.dmp

memory/1804-80-0x0000000007DC0000-0x0000000007DD4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1400-93-0x0000000005D30000-0x0000000006084000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b91ad1eaa5dc0913b22ff0c92f75444d
SHA1 9ac9ad387ff037fc107625ad5cd66f7cabdbbe57
SHA256 36bc42ffe37dd971d22c993974a9dcf11eb37ddb558389ceaa244192058f251c
SHA512 21edf11b9477d1b48d324995b2a83a595cad855cab9b515f1cb5cbd8b734b23a45d6c78d652c5cd87fda69ca1693754dc6e12280e2a350ed987822dd2eafea6a

memory/1400-95-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/1400-96-0x0000000071190000-0x00000000714E4000-memory.dmp

memory/1604-116-0x00000000056D0000-0x0000000005A24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f94ee6542981c76713970540a2588549
SHA1 82860585571667100ce1e587d081fcd1b3e70c56
SHA256 7ff6c4ab1342084f42eb1f4f8223458025c70596b09f645e7fc213371421a8e6
SHA512 5299d52dc6f742d6596ca5c1108ec6597bc5d0639801c8641c1e7c5464e023a07eea10a7fccc7d8ab3c4a6dc1a6bf7435df6df64e5e92e65c6fc3fa6669e4e6a

memory/1604-118-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/1604-119-0x00000000712E0000-0x0000000071634000-memory.dmp

memory/460-129-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/460-130-0x0000000002D50000-0x000000000363B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c99d47cc28fd0b0551b8be3165ca6e86
SHA1 d59c2d1046e7086afd9ee9dceba8630668e6d317
SHA256 8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1
SHA512 c7c46507ad23b2262b222fab91d88d56c63b82dc754d87bc42a93170e7b2809f1bf751b580d18fbf448d0639a74c270bb76712abb2fdec640279696191eb06f2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0bc563596028fd1b9339c3e02e328638
SHA1 4f2a8cb6fbf9e1e1d77346883d410102f9a999e7
SHA256 c63271a329410976faa2f6c91eff9b11c195fc9a33ea01f288b45655b3468007
SHA512 9b24ac2bde82facfe9e1ec250fc9e82e333d4750fc8f9c4cb264d7c6e9481b004ee5f64e6ccec37c54c54dc5cecba4cb82835fa8e40c0b35e026657cde3a2cb7

memory/1892-147-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/1892-148-0x00000000712E0000-0x0000000071634000-memory.dmp

memory/1428-168-0x0000000005F80000-0x00000000062D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bd2e273ef4301c28ddf1d0b8de7e373b
SHA1 83d8467eedf77ce3ab397bf654aec4a3761a91bc
SHA256 7db570ba781f32839ca427d9f28eaa878102be6e277c2a754c8016b5232507ab
SHA512 3ba50fb139da73a77a2ef51cca6389703209fb569a5a317570d95cf3d6810ce7e376646a06bc44f0ffc5acb42dc6bdfd56a07f46dbdf7b9315661f9053967acb

memory/1428-170-0x0000000006540000-0x000000000658C000-memory.dmp

memory/1428-171-0x0000000070AE0000-0x0000000070B2C000-memory.dmp

memory/1428-172-0x0000000070C60000-0x0000000070FB4000-memory.dmp

memory/1428-182-0x0000000007740000-0x00000000077E3000-memory.dmp

memory/1428-183-0x0000000007A90000-0x0000000007AA1000-memory.dmp

memory/3892-184-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1428-185-0x0000000005DF0000-0x0000000005E04000-memory.dmp

memory/3776-192-0x0000000005A40000-0x0000000005D94000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bd4602f1b5dd7e4a3024c72aeeadb8af
SHA1 8956bb044ab1f5cd69775dfe9797a3ed169b6279
SHA256 476e16917b5dfded9ab0bf6903cef3316e42ff147f5d9c7de69f819511536df9
SHA512 47459cd8003c6e9329ec426328e9a0776ff9b7d984d28d7b656da7c3c0892b457ef87bef1f15442aa7cf8f363efb5369b5b6cb0c89862b029854eed0aba013c8

memory/3776-199-0x0000000070AE0000-0x0000000070B2C000-memory.dmp

memory/3776-200-0x0000000071270000-0x00000000715C4000-memory.dmp

memory/3360-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3892-218-0x00000000029D0000-0x0000000002DCF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2316-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/388-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3360-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2316-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/388-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3360-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/388-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3360-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-264-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-268-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3360-272-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 04:28

Reported

2024-05-16 04:30

Platform

win11-20240426-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3148 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\system32\cmd.exe
PID 4968 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\system32\cmd.exe
PID 992 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 992 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4968 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\rss\csrss.exe
PID 4968 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\rss\csrss.exe
PID 4968 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe C:\Windows\rss\csrss.exe
PID 3312 wrote to memory of 3048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 3048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 3048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 1752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 1752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 1752 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 1064 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3312 wrote to memory of 1064 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4220 wrote to memory of 4552 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 4552 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 4552 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4552 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4552 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe

"C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe

"C:\Users\Admin\AppData\Local\Temp\8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2a44a550-fe1a-499f-bb6b-47ba9f8ae920.uuid.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server11.dumppage.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.111:443 server11.dumppage.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server11.dumppage.org tcp
US 52.111.229.48:443 tcp
BG 185.82.216.111:443 server11.dumppage.org tcp
BG 185.82.216.111:443 server11.dumppage.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/3148-1-0x0000000002A30000-0x0000000002E30000-memory.dmp

memory/3148-2-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/3148-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2016-4-0x000000007474E000-0x000000007474F000-memory.dmp

memory/2016-5-0x0000000004C90000-0x0000000004CC6000-memory.dmp

memory/2016-7-0x0000000005420000-0x0000000005A4A000-memory.dmp

memory/2016-6-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/2016-8-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/2016-9-0x00000000052C0000-0x00000000052E2000-memory.dmp

memory/2016-10-0x0000000005B40000-0x0000000005BA6000-memory.dmp

memory/2016-11-0x0000000005C60000-0x0000000005CC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kiotgwmg.vvc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2016-20-0x0000000005CD0000-0x0000000006027000-memory.dmp

memory/2016-21-0x0000000006150000-0x000000000616E000-memory.dmp

memory/2016-22-0x00000000061A0000-0x00000000061EC000-memory.dmp

memory/2016-23-0x00000000066F0000-0x0000000006736000-memory.dmp

memory/2016-24-0x0000000007580000-0x00000000075B4000-memory.dmp

memory/2016-27-0x0000000070B30000-0x0000000070E87000-memory.dmp

memory/2016-26-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/2016-37-0x00000000075E0000-0x0000000007684000-memory.dmp

memory/2016-36-0x00000000075C0000-0x00000000075DE000-memory.dmp

memory/2016-25-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/2016-38-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/2016-40-0x0000000007700000-0x000000000771A000-memory.dmp

memory/2016-39-0x0000000007D50000-0x00000000083CA000-memory.dmp

memory/2016-41-0x0000000007740000-0x000000000774A000-memory.dmp

memory/2016-42-0x0000000007800000-0x0000000007896000-memory.dmp

memory/2016-43-0x0000000007780000-0x0000000007791000-memory.dmp

memory/2016-44-0x00000000077B0000-0x00000000077BE000-memory.dmp

memory/2016-45-0x00000000077C0000-0x00000000077D5000-memory.dmp

memory/2016-46-0x00000000078C0000-0x00000000078DA000-memory.dmp

memory/2016-47-0x00000000078A0000-0x00000000078A8000-memory.dmp

memory/2016-50-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/4968-52-0x0000000002A20000-0x0000000002E19000-memory.dmp

memory/4932-61-0x0000000005B80000-0x0000000005ED7000-memory.dmp

memory/4932-63-0x00000000712F0000-0x0000000071647000-memory.dmp

memory/4932-72-0x00000000072E0000-0x0000000007384000-memory.dmp

memory/4932-62-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/4932-73-0x0000000007620000-0x0000000007631000-memory.dmp

memory/4932-74-0x0000000007670000-0x0000000007685000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a9a9a44f7ed2c473e8c70d428514f4b5
SHA1 83901016a34c03a2348672d8b087d834f36017af
SHA256 90d62d559b804a63359d5a02264e89b55719693291e05d1db6a449b071ceb131
SHA512 c1ff662fec45577ffd82920fd104c6efdb59a8e918e30c7003ddd939f38d1a31b3344f808b9301f8d2a40f929f61c01f9662bba6cf5a55356dca064f6fa189c1

memory/3664-88-0x0000000070B30000-0x0000000070E87000-memory.dmp

memory/3664-87-0x00000000709B0000-0x00000000709FC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c599d43e51403871d5ffc97a58cd8e28
SHA1 2160f0f77858667f6a68e314d210b84165573532
SHA256 c809146344316f58643c36e600eaaff9db31fb89eaa886e2a250912b05f937f7
SHA512 19c6cf68d734a4fb9776c1a438f63430c64812566b60179aae2bdd5baf976282f5b9de2cddad244e912f1eaeeb7b240d06924d359ff60a19837dd66168946353

memory/1456-108-0x0000000070B30000-0x0000000070E87000-memory.dmp

memory/1456-107-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/3148-119-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/3148-117-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3148-118-0x0000000002A30000-0x0000000002E30000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c99d47cc28fd0b0551b8be3165ca6e86
SHA1 d59c2d1046e7086afd9ee9dceba8630668e6d317
SHA256 8f33621dd9de316295b7d7bde8c334aa0f513d844f2ab5fb2ce86b44297ec5b1
SHA512 c7c46507ad23b2262b222fab91d88d56c63b82dc754d87bc42a93170e7b2809f1bf751b580d18fbf448d0639a74c270bb76712abb2fdec640279696191eb06f2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a5572e6aa684839951bb3c513b573da3
SHA1 5415a2bd11833e40315ccbd2e6d9e27b07e84211
SHA256 44cabe14ac5fece787d5a146496b44218d97dfbd48801ff941a75b0175401636
SHA512 2c14a568c3e6fd554542113822ed0e8e7dfa58345db5723dcabc7d50f0386b23ced0a3e5344cbe3927cfbfabe02f8a3111e44ca15c1a765f6fd293b34b024e2c

memory/3048-136-0x0000000070B30000-0x0000000070E87000-memory.dmp

memory/3048-135-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/1752-154-0x00000000061D0000-0x0000000006527000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f1101e488bbf31332a88e66e6abb29c6
SHA1 a1990020585a377f422effa936b58da6d873e763
SHA256 38b6212ebe11d7a1fa108ca4e3140920bc06ed530628d1cff138b27832d61e90
SHA512 0d58659930c468dc6b27f082510e80fc19786e1028f3f68387ad08699b65d0375bf3450372e30ffd5dc406c190b50cef2e09acc9cc3530930d5333acc420a758

memory/1752-156-0x0000000006CD0000-0x0000000006D1C000-memory.dmp

memory/1752-157-0x00000000708D0000-0x000000007091C000-memory.dmp

memory/1752-158-0x0000000071210000-0x0000000071567000-memory.dmp

memory/1752-167-0x00000000079B0000-0x0000000007A54000-memory.dmp

memory/1752-168-0x0000000007CE0000-0x0000000007CF1000-memory.dmp

memory/1752-169-0x0000000006550000-0x0000000006565000-memory.dmp

memory/904-179-0x0000000005D00000-0x0000000006057000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bfb476f3ad9b57817404e5fd8684d610
SHA1 be9761ae584700fa8cb767f0c093d90716c78b5c
SHA256 7b053dfebc003e7c1487e32e7e4aaa0d3058ac1da57322a3593ada09249b5f94
SHA512 36092943ca785e061d701b88129de7bc66bcf72292dab9a14d771459216405444d638784c347894e6200166c33784c0e43255d5972108fe89d7e0ea2cbe4bf05

memory/904-181-0x00000000708D0000-0x000000007091C000-memory.dmp

memory/904-182-0x0000000070AE0000-0x0000000070E37000-memory.dmp

memory/4968-192-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3312-199-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4220-204-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/768-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4220-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4968-210-0x0000000002A20000-0x0000000002E19000-memory.dmp

memory/3312-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/768-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3312-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/768-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3312-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3312-256-0x0000000000400000-0x0000000000D1C000-memory.dmp