Malware Analysis Report

2025-01-02 06:39

Sample ID 240516-ezj81abg41
Target 915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208
SHA256 915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208

Threat Level: Known bad

The file 915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 04:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 04:22

Reported

2024-05-16 04:25

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\system32\cmd.exe
PID 2224 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\system32\cmd.exe
PID 1504 wrote to memory of 3692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1504 wrote to memory of 3692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2224 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\rss\csrss.exe
PID 2224 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\rss\csrss.exe
PID 2224 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\rss\csrss.exe
PID 2480 wrote to memory of 4500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 4500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 4500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 3964 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 3964 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 3964 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 2068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 2068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 2068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2480 wrote to memory of 952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1908 wrote to memory of 4476 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 4476 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 4476 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4476 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4476 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe

"C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe

"C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 9c120e13-b0c6-4359-8f01-5a2f3687f65e.uuid.dumppage.org udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server14.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.111:443 server14.dumppage.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server14.dumppage.org tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.111:443 server14.dumppage.org tcp

Files

memory/1808-1-0x0000000002920000-0x0000000002D22000-memory.dmp

memory/1808-2-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/1808-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4212-4-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4212-5-0x00000000048B0000-0x00000000048E6000-memory.dmp

memory/4212-6-0x0000000005040000-0x0000000005668000-memory.dmp

memory/4212-7-0x0000000004FB0000-0x0000000004FD2000-memory.dmp

memory/4212-8-0x00000000057A0000-0x0000000005806000-memory.dmp

memory/4212-9-0x0000000005810000-0x0000000005876000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wrp00mrb.5fr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4212-19-0x0000000005980000-0x0000000005CD4000-memory.dmp

memory/4212-20-0x0000000005E70000-0x0000000005E8E000-memory.dmp

memory/4212-21-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

memory/4212-22-0x0000000006F90000-0x0000000006FD4000-memory.dmp

memory/4212-23-0x00000000071A0000-0x0000000007216000-memory.dmp

memory/4212-24-0x00000000078A0000-0x0000000007F1A000-memory.dmp

memory/4212-25-0x0000000007240000-0x000000000725A000-memory.dmp

memory/4212-26-0x00000000073F0000-0x0000000007422000-memory.dmp

memory/4212-28-0x00000000704C0000-0x0000000070814000-memory.dmp

memory/4212-27-0x0000000070340000-0x000000007038C000-memory.dmp

memory/4212-38-0x0000000007430000-0x000000000744E000-memory.dmp

memory/4212-39-0x0000000007450000-0x00000000074F3000-memory.dmp

memory/4212-40-0x0000000007540000-0x000000000754A000-memory.dmp

memory/4212-41-0x0000000007650000-0x00000000076E6000-memory.dmp

memory/4212-42-0x0000000007550000-0x0000000007561000-memory.dmp

memory/4212-43-0x0000000007590000-0x000000000759E000-memory.dmp

memory/4212-44-0x00000000075B0000-0x00000000075C4000-memory.dmp

memory/4212-45-0x0000000007600000-0x000000000761A000-memory.dmp

memory/4212-46-0x00000000075F0000-0x00000000075F8000-memory.dmp

memory/4212-49-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2224-51-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2224-52-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1508-58-0x0000000005650000-0x00000000059A4000-memory.dmp

memory/1508-63-0x0000000070340000-0x000000007038C000-memory.dmp

memory/1508-64-0x0000000070AE0000-0x0000000070E34000-memory.dmp

memory/1508-74-0x0000000006EF0000-0x0000000006F93000-memory.dmp

memory/1508-75-0x00000000071D0000-0x00000000071E1000-memory.dmp

memory/1508-76-0x0000000007220000-0x0000000007234000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4360-86-0x0000000006250000-0x00000000065A4000-memory.dmp

memory/1808-85-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8de2f7a310f3823918b5ffda546aae13
SHA1 0dcaa54dd3c34b949802d59bd59257cc0bd7195f
SHA256 6786f5a0169bf31a85085a1061db9ff72cfa5e9934e7b3b3ae10c299509654d2
SHA512 9e20ffda6b14cb60f2cf9152b14705a8a39b31eff3a8f5d0bccc255262a5ebf5e6e586986cce443f2a644ae8d72c2641cd462d344114394f5a638456a8e7b938

memory/4360-92-0x0000000070340000-0x000000007038C000-memory.dmp

memory/4360-93-0x0000000070AC0000-0x0000000070E14000-memory.dmp

memory/1036-110-0x0000000005BB0000-0x0000000005F04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3ed15d9534724f445c82c0443ade0ecb
SHA1 14097d7e5d9def5545bee24847ce4b8972d44728
SHA256 a2d6deaf6ec50527f3ac3e53ae66bda527e2d86fab7005aaaf234bccc1b90e22
SHA512 27bebb820875dfc113635839993036d8fed0f9b2f98b4e3aed396bb047ac6fe5b3d5b23222eff0467c8f76041e34bbad9075a5a2f10c35542d14c257fdfaadea

memory/1036-115-0x0000000070340000-0x000000007038C000-memory.dmp

memory/1036-116-0x0000000070AF0000-0x0000000070E44000-memory.dmp

memory/1808-126-0x0000000002920000-0x0000000002D22000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 aa7ebd3c0a49656b5124d82fc75d25c3
SHA1 fd079a071751502639beedd6f5c90a39944e1d93
SHA256 915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208
SHA512 ced155b17c4d67e80a81fe3b201c95ca98407ffedacb62d838763e10016fee5c319863335d41d93f486eaf982a4ce0d17a6853357a519cac8af3fa86e479bd15

memory/2224-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 36f7d1077ee8a59d69ef3f85b0082a45
SHA1 4c17530225bfb80f45cc48a537a50641f67796e8
SHA256 87fcce8fd82f7208827728970c15caa635e7fc0a2527f33bc256a04c3d4fa30f
SHA512 3e9c7c29cca2e07a5952cc9ef7248af31012d5caca26ab1a39173e1ff02838ba65be8d64367ddc3d8da424f019ee380da5832b9fd4a752a6d16a9cebff6028cf

memory/4500-145-0x0000000070340000-0x000000007038C000-memory.dmp

memory/4500-146-0x00000000704C0000-0x0000000070814000-memory.dmp

memory/1808-156-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/3964-167-0x0000000005A40000-0x0000000005D94000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2571853daa625f9908dc80d9f4911785
SHA1 d8057bf77392f8f8c5a416518a2726269dd160ba
SHA256 790a36b8af0e6f6622380484c03a7d047e6083a04cea80cf4a1a4f3ed509e40c
SHA512 21c71dbeef5aaf3d972c3008dc073e19faf52f77abdfc67ddf9ce5822284115250b93a45c42d46b41f322c01455392b42045d6de1ce4e70e73e195a73aed3d0c

memory/3964-169-0x0000000006430000-0x000000000647C000-memory.dmp

memory/3964-170-0x0000000070260000-0x00000000702AC000-memory.dmp

memory/3964-171-0x00000000703E0000-0x0000000070734000-memory.dmp

memory/3964-181-0x0000000007180000-0x0000000007223000-memory.dmp

memory/3964-182-0x0000000005890000-0x00000000058A1000-memory.dmp

memory/3964-184-0x00000000059D0000-0x00000000059E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ece7e7a2fc3cd2646aadae9275387489
SHA1 33d2de20e9e50d8305c7a79e73395cfab33364bd
SHA256 52180ae985259e670b12a9bab19dcaa9edec29c0765224ce10318dce0f978f7b
SHA512 dfa35579040bb043a2786e72d9ac65b5955fe581c8d1a862691617ba8d8aa738521f067bdea05767f376512f031cb321bd6e538f156fbf5bc8c0764729bf8b32

memory/2068-196-0x0000000070260000-0x00000000702AC000-memory.dmp

memory/2068-197-0x00000000703E0000-0x0000000070734000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2480-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1908-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4800-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1908-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2480-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4800-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2480-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2480-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4800-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2480-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2480-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2480-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2480-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2480-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2480-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2480-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2480-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2480-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 04:22

Reported

2024-05-16 04:25

Platform

win11-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1392 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\system32\cmd.exe
PID 3600 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\system32\cmd.exe
PID 1864 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1864 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3600 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3600 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\rss\csrss.exe
PID 3600 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\rss\csrss.exe
PID 3600 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe C:\Windows\rss\csrss.exe
PID 2900 wrote to memory of 3932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 3932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 3932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 392 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 3400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 3400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 3400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1464 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2900 wrote to memory of 1464 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4284 wrote to memory of 2988 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 2988 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 2988 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2988 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2988 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe

"C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe

"C:\Users\Admin\AppData\Local\Temp\915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 7c7a2f0c-e4e8-4b83-be35-3289daa2b881.uuid.dumppage.org udp
US 8.8.8.8:53 server7.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server7.dumppage.org tcp
US 74.125.250.129:19302 stun3.l.google.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server7.dumppage.org tcp
BG 185.82.216.111:443 server7.dumppage.org tcp

Files

memory/1392-1-0x0000000002A20000-0x0000000002E1C000-memory.dmp

memory/1392-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/1392-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3992-4-0x00000000741EE000-0x00000000741EF000-memory.dmp

memory/3992-5-0x00000000023E0000-0x0000000002416000-memory.dmp

memory/3992-6-0x00000000741E0000-0x0000000074991000-memory.dmp

memory/3992-7-0x0000000004FA0000-0x00000000055CA000-memory.dmp

memory/3992-8-0x00000000741E0000-0x0000000074991000-memory.dmp

memory/3992-9-0x0000000004F30000-0x0000000004F52000-memory.dmp

memory/3992-10-0x0000000005640000-0x00000000056A6000-memory.dmp

memory/3992-11-0x00000000056B0000-0x0000000005716000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ooe5nzjf.egy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3992-20-0x0000000005720000-0x0000000005A77000-memory.dmp

memory/3992-21-0x0000000005C00000-0x0000000005C1E000-memory.dmp

memory/3992-22-0x0000000005C20000-0x0000000005C6C000-memory.dmp

memory/3992-23-0x00000000061D0000-0x0000000006216000-memory.dmp

memory/3992-25-0x0000000070450000-0x000000007049C000-memory.dmp

memory/3992-27-0x00000000705D0000-0x0000000070927000-memory.dmp

memory/3992-26-0x00000000741E0000-0x0000000074991000-memory.dmp

memory/3992-36-0x0000000007050000-0x000000000706E000-memory.dmp

memory/3992-24-0x0000000007010000-0x0000000007044000-memory.dmp

memory/3992-37-0x0000000007070000-0x0000000007114000-memory.dmp

memory/3992-38-0x00000000741E0000-0x0000000074991000-memory.dmp

memory/3992-39-0x00000000077E0000-0x0000000007E5A000-memory.dmp

memory/3992-40-0x00000000071A0000-0x00000000071BA000-memory.dmp

memory/3992-41-0x00000000071E0000-0x00000000071EA000-memory.dmp

memory/3992-42-0x00000000072F0000-0x0000000007386000-memory.dmp

memory/3992-43-0x0000000007200000-0x0000000007211000-memory.dmp

memory/3992-44-0x0000000007250000-0x000000000725E000-memory.dmp

memory/3992-45-0x0000000007260000-0x0000000007275000-memory.dmp

memory/3992-46-0x00000000072B0000-0x00000000072CA000-memory.dmp

memory/3992-47-0x00000000072D0000-0x00000000072D8000-memory.dmp

memory/3992-50-0x00000000741E0000-0x0000000074991000-memory.dmp

memory/1392-51-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1392-52-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/3600-54-0x0000000002A90000-0x0000000002E8A000-memory.dmp

memory/2904-63-0x0000000006060000-0x00000000063B7000-memory.dmp

memory/2904-64-0x00000000069E0000-0x0000000006A2C000-memory.dmp

memory/2904-65-0x0000000070560000-0x00000000705AC000-memory.dmp

memory/2904-66-0x00000000706F0000-0x0000000070A47000-memory.dmp

memory/2904-75-0x00000000076D0000-0x0000000007774000-memory.dmp

memory/2904-76-0x0000000007A10000-0x0000000007A21000-memory.dmp

memory/2904-77-0x0000000007A60000-0x0000000007A75000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/3156-89-0x0000000006020000-0x0000000006377000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fae36299dfcf1285cdd688b69d53b909
SHA1 e06b398be27813813ebbfe2383a723e969c1456e
SHA256 e6e6afb2f5e64f86a5dae18add703f2338996b431f6ec2e8e43041b142d327fe
SHA512 a719033fe62e77da1a24baa34aa267a3861711f7716b6decca135a867fd68a191802b9a97fb8e571f684917fc698f815021515baa448ea7ebac6bc3bf1c38c64

memory/3156-91-0x0000000070560000-0x00000000705AC000-memory.dmp

memory/3156-92-0x0000000070750000-0x0000000070AA7000-memory.dmp

memory/1548-104-0x00000000056F0000-0x0000000005A47000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3f79d78c5b14634b8b4f3fb4067c2613
SHA1 ab35c0e2abcf03444a856dd091bf4653ceea5eb3
SHA256 443ba36dc532d244d6e13a6a92e708a577797a35f1aeadd1f7e7de49ba3b93f3
SHA512 1f77a060ed13bfd3fc9b671cdc9242561dc4065ad3d974f63db82fa59bb80dd4705deec0c5c9e62c2c1e21cfa626f5c24d0a00a5e4cbfb7bf0c089f54e80b22c

memory/1548-112-0x0000000070560000-0x00000000705AC000-memory.dmp

memory/1548-113-0x00000000707B0000-0x0000000070B07000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 aa7ebd3c0a49656b5124d82fc75d25c3
SHA1 fd079a071751502639beedd6f5c90a39944e1d93
SHA256 915b290d14d7e7bf50fb921e79953f21edc37f942acd3ccf4e244a59bb8af208
SHA512 ced155b17c4d67e80a81fe3b201c95ca98407ffedacb62d838763e10016fee5c319863335d41d93f486eaf982a4ce0d17a6853357a519cac8af3fa86e479bd15

memory/3932-136-0x0000000006080000-0x00000000063D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e43231ee5df2e8057a1d0cecac58f77a
SHA1 a3d41f4f2f239e99d40d79759ad1933a136ed1a9
SHA256 00d158307419b1ea1f1cc5314f7fc0ec95f945ceee61f9216eb38e4feeade621
SHA512 d5d34e6e77d050ec180ad71e668a409ada330b700ac1f19373adf0d589976f0a7d0a28cb992cc9cc15ddb0278ea0d694a218c3b236218666d762337ecb36abac

memory/3932-138-0x0000000006880000-0x00000000068CC000-memory.dmp

memory/3600-139-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3932-140-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/3932-141-0x0000000070E00000-0x0000000071157000-memory.dmp

memory/3932-150-0x0000000007810000-0x00000000078B4000-memory.dmp

memory/3932-151-0x0000000007B50000-0x0000000007B61000-memory.dmp

memory/3932-152-0x0000000005D70000-0x0000000005D85000-memory.dmp

memory/392-159-0x0000000006230000-0x0000000006587000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e1a7a975b521bf57136cef08760633c2
SHA1 5f14e5a9b462f284ef8be4b449e26dfd4f5e9d9e
SHA256 9326dbc48bf1ccf51485a3acf0ae68e821a65302507dbe5c8a6691c69ed7319e
SHA512 275ce7560bc6e5431a8cac5befe436bc7f61d5fefc553b63d2a6ec084fe58f411828d5817cbd56706a25de4e59b1d23a3de8e454d67b315da611f2a14c3dfaf7

memory/392-164-0x0000000006A80000-0x0000000006ACC000-memory.dmp

memory/392-165-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/392-166-0x0000000070630000-0x0000000070987000-memory.dmp

memory/392-175-0x0000000007A00000-0x0000000007AA4000-memory.dmp

memory/392-176-0x0000000007D40000-0x0000000007D51000-memory.dmp

memory/392-177-0x0000000006130000-0x0000000006145000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7af8aa2b0488ed8f4e73c5abdd99e441
SHA1 0418edc0dcd13a2b182db1433cdea46552184fdb
SHA256 5fd50fb6ff45efa83eeaebb568a01285d0f976e828813a849edc4e99278a42dc
SHA512 cd4ec226071ff19b184455ef59d313343ddf13276146397fd9dd61eb4915e556390f50143d47f06fad12fe75ccc6b0e256f380a9255f59455c10a4a290d74e83

memory/3400-188-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/3400-189-0x0000000070630000-0x0000000070987000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2900-205-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3600-206-0x0000000002A90000-0x0000000002E8A000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4284-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3784-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4284-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2900-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3784-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2900-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2900-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3784-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2900-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2900-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2900-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2900-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2900-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2900-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2900-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2900-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2900-250-0x0000000000400000-0x0000000000D1C000-memory.dmp