Malware Analysis Report

2024-12-08 02:04

Sample ID 240516-e48gdscc93
Target 69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65
SHA256 69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65

Threat Level: Known bad

The file 69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 04:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 04:30

Reported

2024-05-16 04:33

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4144 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\system32\cmd.exe
PID 540 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\system32\cmd.exe
PID 4736 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4736 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 540 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\rss\csrss.exe
PID 540 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\rss\csrss.exe
PID 540 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\rss\csrss.exe
PID 4484 wrote to memory of 5028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 5028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 5028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 2188 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 2188 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 2188 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 4104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 4104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 4104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 2200 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4484 wrote to memory of 2200 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1188 wrote to memory of 4940 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 4940 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 4940 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4940 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4940 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe

"C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe

"C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
BE 2.17.107.123:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 123.107.17.2.in-addr.arpa udp
BE 2.17.107.123:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 49069644-f8a0-4931-98c0-6790b9e06f2c.uuid.dumperstats.org udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server15.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 15.197.250.192:3478 stun.sipgate.net udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server15.dumperstats.org tcp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server15.dumperstats.org tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.111:443 server15.dumperstats.org tcp

Files

memory/4144-1-0x0000000002980000-0x0000000002D88000-memory.dmp

memory/4144-2-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/4144-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3596-4-0x000000007481E000-0x000000007481F000-memory.dmp

memory/3596-5-0x0000000005070000-0x00000000050A6000-memory.dmp

memory/3596-6-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/3596-7-0x0000000005750000-0x0000000005D78000-memory.dmp

memory/3596-8-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/3596-9-0x0000000005650000-0x0000000005672000-memory.dmp

memory/3596-10-0x0000000005D80000-0x0000000005DE6000-memory.dmp

memory/3596-11-0x0000000005DF0000-0x0000000005E56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x4ufowyq.noc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3596-21-0x0000000005EA0000-0x00000000061F4000-memory.dmp

memory/3596-22-0x0000000006630000-0x000000000664E000-memory.dmp

memory/3596-23-0x00000000066D0000-0x000000000671C000-memory.dmp

memory/3596-24-0x0000000006B70000-0x0000000006BB4000-memory.dmp

memory/3596-25-0x0000000007980000-0x00000000079F6000-memory.dmp

memory/3596-26-0x0000000008080000-0x00000000086FA000-memory.dmp

memory/3596-27-0x0000000007A00000-0x0000000007A1A000-memory.dmp

memory/3596-30-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/3596-29-0x00000000706B0000-0x00000000706FC000-memory.dmp

memory/3596-28-0x0000000007BB0000-0x0000000007BE2000-memory.dmp

memory/3596-31-0x0000000071290000-0x00000000715E4000-memory.dmp

memory/3596-41-0x0000000007BF0000-0x0000000007C0E000-memory.dmp

memory/3596-42-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/3596-43-0x0000000007C10000-0x0000000007CB3000-memory.dmp

memory/3596-44-0x0000000007D00000-0x0000000007D0A000-memory.dmp

memory/3596-46-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/3596-45-0x0000000007DC0000-0x0000000007E56000-memory.dmp

memory/3596-47-0x0000000007D20000-0x0000000007D31000-memory.dmp

memory/3596-48-0x0000000007D60000-0x0000000007D6E000-memory.dmp

memory/3596-49-0x0000000007D70000-0x0000000007D84000-memory.dmp

memory/3596-50-0x0000000007E60000-0x0000000007E7A000-memory.dmp

memory/3596-51-0x0000000007DA0000-0x0000000007DA8000-memory.dmp

memory/3596-54-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/540-56-0x00000000029C0000-0x0000000002DB9000-memory.dmp

memory/4144-57-0x0000000002980000-0x0000000002D88000-memory.dmp

memory/4144-58-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/1932-68-0x0000000005BE0000-0x0000000005F34000-memory.dmp

memory/1932-69-0x00000000706B0000-0x00000000706FC000-memory.dmp

memory/1932-70-0x0000000070830000-0x0000000070B84000-memory.dmp

memory/1932-80-0x0000000007260000-0x0000000007303000-memory.dmp

memory/1932-81-0x0000000007590000-0x00000000075A1000-memory.dmp

memory/4144-82-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1932-83-0x00000000075E0000-0x00000000075F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4340-87-0x0000000005650000-0x00000000059A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 58e2394815a34c298c1290f3fefa55fb
SHA1 7f163d0e25dab1061687a4ef4a9e2160c3cc406c
SHA256 c84f06bcdf708855cb9af553ab529db2496a1ab0fedf5a4c8cf74783a3be0d76
SHA512 172795faf832d304e5dfa85c7fbd584d7af78bfc84c2b8619361f175d407a2c7e30143b69284f132d754497c614442f0fb8cfa54a93ada72d7cf501e2342731b

memory/4340-98-0x00000000706B0000-0x00000000706FC000-memory.dmp

memory/4340-99-0x0000000070E30000-0x0000000071184000-memory.dmp

memory/1548-119-0x00000000054C0000-0x0000000005814000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f82a5653b33d6ad171149ed9283d4cc1
SHA1 428b8f7f6fdbbc12866bdcf149794f697d357668
SHA256 ed09ea532cd862fc501f003143da959655401a07f12b9eceb1247868678cb274
SHA512 6de9d3edfbd8cd7f278b9de62dc293792801136efb97016a8d34a1779754446c54e3420f91119a7fa076abc1d89d6f8fc151747c9d5aa480e0b890b316ef9643

memory/1548-121-0x00000000706B0000-0x00000000706FC000-memory.dmp

memory/1548-122-0x0000000070AD0000-0x0000000070E24000-memory.dmp

memory/540-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a24fd2315ead75a77c83cf061679acb9
SHA1 e3b687f4ca6b22ceba680916fc45912df927151f
SHA256 69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65
SHA512 60a0cefe6fcf1dc2d78f23addbf7724891b073bf388e65e60f6493da0981691e3b7a7a4ff2b4571dcf301477c3bbc3fc60fcb535afec5e53e6ccd54399110146

memory/540-138-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cb9189d4c9ef1bcf8763ff93414c3982
SHA1 ccd8f7dd580b814bf3dc73fb9cff85659864935e
SHA256 6934289832fdae79a186f8cdf42e2ffd91a568151483eea2c0ef89087b1572f0
SHA512 801bc29b444033743f7aa8bf1193e6e4506780cf46a8f4afb9db3b454807a14f4a058904a88e68713a974cd7a4e5003625f265a4bd27e072e7fd20fc974e7cff

memory/5028-151-0x00000000706B0000-0x00000000706FC000-memory.dmp

memory/5028-152-0x0000000070E30000-0x0000000071184000-memory.dmp

memory/2188-172-0x0000000005F90000-0x00000000062E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0ab0fb9b5972ea530c9474c16811fca1
SHA1 fc1e54b18ad4d4cd7e56f1b33059025d3a3e4fc3
SHA256 06cdf0d10f8b0a321b2d51f1b7f084ce52d57e8cd6fa1aa57fa88fb3a13bb618
SHA512 68f9b50eb6e4aa10ad76eea0e651180cb91c5deb7bdfbe98c8fe81aa365b8ccc90f702643fa868c888a26ee058c14ea41da6e3d903819658736151344f1f2341

memory/2188-174-0x0000000006960000-0x00000000069AC000-memory.dmp

memory/2188-175-0x00000000705D0000-0x000000007061C000-memory.dmp

memory/2188-176-0x0000000070750000-0x0000000070AA4000-memory.dmp

memory/2188-186-0x0000000007670000-0x0000000007713000-memory.dmp

memory/2188-187-0x0000000007970000-0x0000000007981000-memory.dmp

memory/2188-188-0x0000000005EA0000-0x0000000005EB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d22a9ef0bf03bd8c5da299c16efeb034
SHA1 593a1c31d3a161fa974bdc1f94a8be8407b98e55
SHA256 9ee9884b818b6f04ee2bcba0de145d1af70e93f5253b3558a0ea4f4fe1c8ca6f
SHA512 4b6a1d22a7f099a90d7337f892efd826a777891d9c76b963931af929d7644d1b9018825f33d9d7ec681a73e8a4a919d354f964b5ab359b0d3a6623b46ccfe996

memory/4104-200-0x00000000705D0000-0x000000007061C000-memory.dmp

memory/4104-201-0x0000000070750000-0x0000000070AA4000-memory.dmp

memory/4484-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1188-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4484-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1188-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1192-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4484-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1192-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4484-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1192-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4484-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4484-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4484-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4484-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1192-246-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4484-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4484-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4484-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4484-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 04:30

Reported

2024-05-16 04:33

Platform

win11-20240426-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\system32\cmd.exe
PID 396 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\system32\cmd.exe
PID 1460 wrote to memory of 236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1460 wrote to memory of 236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 396 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\rss\csrss.exe
PID 396 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\rss\csrss.exe
PID 396 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe C:\Windows\rss\csrss.exe
PID 3492 wrote to memory of 3540 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 3540 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 3540 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 1516 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 1516 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 1516 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 4644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 4644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 4644 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 2300 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3492 wrote to memory of 2300 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3612 wrote to memory of 4840 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 4840 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 4840 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4840 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4840 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe

"C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe

"C:\Users\Admin\AppData\Local\Temp\69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 e65e8a7c-8eb2-464c-8d05-327cdbaedfa6.uuid.dumperstats.org udp
US 8.8.8.8:53 server7.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server7.dumperstats.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server7.dumperstats.org tcp
BG 185.82.216.111:443 server7.dumperstats.org tcp
US 52.111.229.48:443 tcp
BG 185.82.216.111:443 server7.dumperstats.org tcp

Files

memory/4908-1-0x0000000002A80000-0x0000000002E80000-memory.dmp

memory/4908-2-0x0000000002E80000-0x000000000376B000-memory.dmp

memory/4908-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/892-4-0x000000007474E000-0x000000007474F000-memory.dmp

memory/892-5-0x0000000004BA0000-0x0000000004BD6000-memory.dmp

memory/892-7-0x00000000052C0000-0x00000000058EA000-memory.dmp

memory/892-6-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/892-8-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/892-9-0x00000000051C0000-0x00000000051E2000-memory.dmp

memory/892-10-0x00000000059F0000-0x0000000005A56000-memory.dmp

memory/892-11-0x0000000005B10000-0x0000000005B76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pxuk2mca.qnc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/892-20-0x0000000005C50000-0x0000000005FA7000-memory.dmp

memory/892-21-0x0000000006070000-0x000000000608E000-memory.dmp

memory/892-22-0x00000000060A0000-0x00000000060EC000-memory.dmp

memory/892-23-0x0000000006470000-0x00000000064B6000-memory.dmp

memory/892-24-0x0000000007470000-0x00000000074A4000-memory.dmp

memory/892-25-0x00000000709B0000-0x00000000709FC000-memory.dmp

memory/892-27-0x0000000070B30000-0x0000000070E87000-memory.dmp

memory/892-26-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/892-36-0x00000000074D0000-0x00000000074EE000-memory.dmp

memory/892-37-0x00000000074F0000-0x0000000007594000-memory.dmp

memory/892-38-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/892-39-0x0000000007C60000-0x00000000082DA000-memory.dmp

memory/892-40-0x0000000007610000-0x000000000762A000-memory.dmp

memory/892-41-0x0000000007650000-0x000000000765A000-memory.dmp

memory/892-42-0x0000000007710000-0x00000000077A6000-memory.dmp

memory/892-43-0x0000000007680000-0x0000000007691000-memory.dmp

memory/892-44-0x00000000076C0000-0x00000000076CE000-memory.dmp

memory/892-45-0x00000000076D0000-0x00000000076E5000-memory.dmp

memory/892-46-0x00000000077D0000-0x00000000077EA000-memory.dmp

memory/892-47-0x00000000077B0000-0x00000000077B8000-memory.dmp

memory/892-50-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/4908-52-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4908-53-0x0000000002E80000-0x000000000376B000-memory.dmp

memory/396-55-0x0000000002A40000-0x0000000002E48000-memory.dmp

memory/736-64-0x0000000005E00000-0x0000000006157000-memory.dmp

memory/736-65-0x0000000006330000-0x000000000637C000-memory.dmp

memory/736-66-0x0000000070AC0000-0x0000000070B0C000-memory.dmp

memory/736-67-0x0000000070CD0000-0x0000000071027000-memory.dmp

memory/736-76-0x0000000007580000-0x0000000007624000-memory.dmp

memory/736-77-0x00000000078B0000-0x00000000078C1000-memory.dmp

memory/736-78-0x0000000007900000-0x0000000007915000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/5072-90-0x00000000061C0000-0x0000000006517000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 669fecea6bb3593ca484b8aa1e033b36
SHA1 df966a09cf5ea2ef6d826208a8983896295f9db8
SHA256 4c7dff2b3e6d8195ef8f1f58cc79a01d2229e03293a9f55e9f7c0985d6b06bdc
SHA512 13323d2e04aad6789ff3bb19a8faa6c9051fc175ca5e79595c3eab058b73d3d27588fc09deec08f10a650fe75f0ff207d2ad47fcf474444842756fccdb94310c

memory/5072-92-0x0000000070AC0000-0x0000000070B0C000-memory.dmp

memory/5072-93-0x0000000070C40000-0x0000000070F97000-memory.dmp

memory/1216-103-0x0000000006260000-0x00000000065B7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b2ba733194c00b469e561c77eeb175cf
SHA1 e92b77f12d393c370d0be155832b7f4b6f16fc8f
SHA256 f104beefc2346cef64be5a5ca34c45a428cd63e242ecf37fd495dfb8a1901456
SHA512 b02ed392901deec37eeb5d2af8fb15a31865271f2b5d5e601ca0e0e41a13d198eb52e1db722e34922ca25e74bbcdbc497e38022f7bdb2caf1135dd3e307fc4c7

memory/1216-114-0x0000000070D10000-0x0000000071067000-memory.dmp

memory/1216-113-0x0000000070AC0000-0x0000000070B0C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a24fd2315ead75a77c83cf061679acb9
SHA1 e3b687f4ca6b22ceba680916fc45912df927151f
SHA256 69809536935dacb0f7249caf70f4490d2927827241527b583517fc2d56a91e65
SHA512 60a0cefe6fcf1dc2d78f23addbf7724891b073bf388e65e60f6493da0981691e3b7a7a4ff2b4571dcf301477c3bbc3fc60fcb535afec5e53e6ccd54399110146

memory/3540-137-0x0000000005E40000-0x0000000006197000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 846ab3c2d6d0d11939b8d4f5c336dd99
SHA1 9a14cf341eb65be02098291124b2d5f5169252e3
SHA256 77b681b85c16d9622f1903956acf0781321232a1889e9a2d06e266e92ffb11e7
SHA512 3bf3d48f82f3b68928f19d2a1ce4ffe079bac1e0baa498e180a8937b925718a4aa8308169dc42548e7bfbefa844700d459bd7178fd6844884d5418ffc818da2a

memory/3540-139-0x0000000006890000-0x00000000068DC000-memory.dmp

memory/396-140-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3540-141-0x0000000070A20000-0x0000000070A6C000-memory.dmp

memory/3540-142-0x0000000070BA0000-0x0000000070EF7000-memory.dmp

memory/3540-151-0x00000000075E0000-0x0000000007684000-memory.dmp

memory/3540-152-0x0000000007900000-0x0000000007911000-memory.dmp

memory/3540-153-0x00000000056D0000-0x00000000056E5000-memory.dmp

memory/1516-163-0x0000000005AE0000-0x0000000005E37000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 316431c19f8ef17d5432d4cee20daa56
SHA1 f22459917ededbb0ecfd5fe5b0c04aba38f2c179
SHA256 57c89b7df7f3c8baa885da989d8b676ff162cf4d1407be077c4006f8d2aef4e5
SHA512 0cfe46a9d9dcfefbe2cb726c0cc799ad16b4cf53749c0252d0793d57892e989f60f094b615f9e14fb5cba418c288c756eaa50e24a7186e7a8dd740bc28b6ff7f

memory/1516-165-0x00000000060A0000-0x00000000060EC000-memory.dmp

memory/1516-166-0x0000000070940000-0x000000007098C000-memory.dmp

memory/1516-167-0x0000000070AC0000-0x0000000070E17000-memory.dmp

memory/1516-176-0x00000000072C0000-0x0000000007364000-memory.dmp

memory/1516-177-0x0000000007610000-0x0000000007621000-memory.dmp

memory/1516-178-0x0000000005AB0000-0x0000000005AC5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 53d7aa19b139f5d7913cc0d6c5660e52
SHA1 414e63df2e777bf0668d40ba204704957885006a
SHA256 e0273221aae9a48e87f05293b6bb3eb4d433c0dab47a22e9823ef8050a26c827
SHA512 ebb65495be372eed1596681fa84d57cfb4ab8ff28ca29dc81fcc01bd807c202b3b64c85be4f56e95cc8d4b1ef884133c7e889f6aabb6b2e8c515f3b20c93a7a6

memory/4644-189-0x0000000070940000-0x000000007098C000-memory.dmp

memory/4644-190-0x0000000070AC0000-0x0000000070E17000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3492-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/396-207-0x0000000002A40000-0x0000000002E48000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3612-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2728-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3612-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3492-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2728-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3492-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3492-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2728-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3492-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3492-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3492-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3492-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3492-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3492-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3492-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3492-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3492-251-0x0000000000400000-0x0000000000D1C000-memory.dmp