Malware Analysis Report

2024-12-08 02:10

Sample ID 240516-pnzjnace2y
Target bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58
SHA256 bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58

Threat Level: Known bad

The file bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:29

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:29

Reported

2024-05-16 12:31

Platform

win11-20240426-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\system32\cmd.exe
PID 4368 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\system32\cmd.exe
PID 1276 wrote to memory of 4924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1276 wrote to memory of 4924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4368 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\rss\csrss.exe
PID 4368 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\rss\csrss.exe
PID 4368 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\rss\csrss.exe
PID 396 wrote to memory of 4520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 4520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 4520 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 4272 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 4272 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 4272 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 4636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 4636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 4636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 1224 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 396 wrote to memory of 1224 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2012 wrote to memory of 1368 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 1368 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 1368 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1368 wrote to memory of 488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1368 wrote to memory of 488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe

"C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe

"C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 1ec3db1d-ae71-4e02-a6af-e4ae80f7c08f.uuid.dumppage.org udp
US 8.8.8.8:53 server15.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.111:443 server15.dumppage.org tcp
US 3.33.249.248:3478 stun.sipgate.net udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server15.dumppage.org tcp
BG 185.82.216.111:443 server15.dumppage.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/2036-1-0x0000000002A30000-0x0000000002E29000-memory.dmp

memory/2036-2-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/2036-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1480-4-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/1480-5-0x00000000048E0000-0x0000000004916000-memory.dmp

memory/1480-6-0x0000000004FA0000-0x00000000055CA000-memory.dmp

memory/1480-7-0x0000000074D90000-0x0000000075541000-memory.dmp

memory/1480-8-0x0000000005610000-0x0000000005632000-memory.dmp

memory/1480-9-0x00000000057B0000-0x0000000005816000-memory.dmp

memory/1480-10-0x0000000005820000-0x0000000005886000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0xg4nzn2.3n3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1480-19-0x0000000005890000-0x0000000005BE7000-memory.dmp

memory/1480-20-0x0000000074D90000-0x0000000075541000-memory.dmp

memory/1480-21-0x0000000005D80000-0x0000000005D9E000-memory.dmp

memory/1480-22-0x0000000005DD0000-0x0000000005E1C000-memory.dmp

memory/1480-23-0x00000000061D0000-0x0000000006216000-memory.dmp

memory/1480-25-0x0000000071000000-0x000000007104C000-memory.dmp

memory/1480-24-0x00000000071B0000-0x00000000071E4000-memory.dmp

memory/1480-26-0x0000000074D90000-0x0000000075541000-memory.dmp

memory/1480-37-0x0000000007210000-0x00000000072B4000-memory.dmp

memory/1480-36-0x00000000071F0000-0x000000000720E000-memory.dmp

memory/1480-38-0x0000000074D90000-0x0000000075541000-memory.dmp

memory/1480-27-0x0000000071180000-0x00000000714D7000-memory.dmp

memory/1480-39-0x0000000007980000-0x0000000007FFA000-memory.dmp

memory/1480-40-0x0000000007340000-0x000000000735A000-memory.dmp

memory/1480-41-0x0000000007380000-0x000000000738A000-memory.dmp

memory/1480-42-0x0000000007440000-0x00000000074D6000-memory.dmp

memory/1480-43-0x00000000073B0000-0x00000000073C1000-memory.dmp

memory/1480-44-0x00000000073F0000-0x00000000073FE000-memory.dmp

memory/1480-45-0x0000000007400000-0x0000000007415000-memory.dmp

memory/1480-46-0x0000000007500000-0x000000000751A000-memory.dmp

memory/1480-47-0x00000000074E0000-0x00000000074E8000-memory.dmp

memory/1480-50-0x0000000074D90000-0x0000000075541000-memory.dmp

memory/4368-52-0x0000000002A30000-0x0000000002E30000-memory.dmp

memory/2012-53-0x00000000054A0000-0x00000000057F7000-memory.dmp

memory/2012-62-0x0000000071000000-0x000000007104C000-memory.dmp

memory/2012-63-0x0000000071250000-0x00000000715A7000-memory.dmp

memory/2012-72-0x0000000006C20000-0x0000000006CC4000-memory.dmp

memory/2012-73-0x0000000006F70000-0x0000000006F81000-memory.dmp

memory/2012-74-0x0000000006FC0000-0x0000000006FD5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 25413ab98c752c5107c25fabb64822f6
SHA1 2fb86026dc3f137bf577bceb50b5324be3e4ab21
SHA256 6fa6a2146ff48355b3b67192e5962bb7a78448be89491e23fe1c40c810e969df
SHA512 66dc023d347f717bb032f56cb9c6d22de90f0cee411cad93853bf2ff9ade16b57a2d85daab56b4e940c63cd1a0518267f75f0872d9cb69f8493d557d1fa2fca9

memory/4736-87-0x0000000071000000-0x000000007104C000-memory.dmp

memory/4736-88-0x0000000071250000-0x00000000715A7000-memory.dmp

memory/2036-97-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 37f65a5f14eda73110d2a11067a2d346
SHA1 aae8224b487501ed8fed16962c46d839725d9b28
SHA256 96c173c626751abb9e5c56e144ceae3c3ca546b44e910826395dfbbc762d4712
SHA512 78e2e2e17874ee1320dd6dd1d9b2a2d8b4de7424e957174e99e65c352e346aed97918f3df7af8ad390ef5edf687b48f99c983b82245722605c76d2f1944e8b16

memory/828-109-0x0000000071180000-0x00000000714D7000-memory.dmp

memory/828-108-0x0000000071000000-0x000000007104C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 98ac0a84afbade3abe697e307d07f043
SHA1 1444bb2cf0bd5ddfa6a7e1e2a3efd1d4c26880e6
SHA256 bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58
SHA512 e974cf68edf1c91dce1b2faa50867b424bff8b95090307e238bf0fec1ff28e9f8ecb0004d02c376f360452e5c1b4acc0b63749a40a0c58d486d0690dce631563

memory/4368-123-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2036-124-0x0000000002A30000-0x0000000002E29000-memory.dmp

memory/2036-126-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/4520-135-0x0000000006320000-0x0000000006677000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9e5b6b8b3811dea434631d4f04274a5b
SHA1 00e9b68a7eccb27081fe36f938ad159d9b3b83be
SHA256 df8e4bffe4e07289c9ebcbfce3b17e39d66f55cb0e4801c9b4cf7b3fa96c10a2
SHA512 c2ed5dbb8a0de6f76a7b23cc80bdafa4588dc27101867d00c08e9e2fd0b92c74ab3856d27dde80f58d2def12e5674ef2154943f6cf555575199bcbddeee6d2d8

memory/4520-137-0x0000000071000000-0x000000007104C000-memory.dmp

memory/4520-138-0x0000000071210000-0x0000000071567000-memory.dmp

memory/4272-156-0x0000000005E90000-0x00000000061E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e4658cc088e0248602a0704b788e615b
SHA1 08e95a530517261e9b8ac16ba0edf8efe04f21a6
SHA256 abee8c6793b2c382d4c13a98ff538529ea094898af9fd4babb88d55151977ca5
SHA512 377eea4ad2909a76020cec04557ccc5d1e7e0c00a0a7585c28f6febe52e542364972f3c3514d01a78a891d159dacc44126a6068389a52e8c647b77fff2f3ef04

memory/4272-158-0x00000000062F0000-0x000000000633C000-memory.dmp

memory/4272-159-0x0000000070F20000-0x0000000070F6C000-memory.dmp

memory/4272-160-0x00000000710A0000-0x00000000713F7000-memory.dmp

memory/4272-169-0x00000000074E0000-0x0000000007584000-memory.dmp

memory/4272-170-0x0000000007810000-0x0000000007821000-memory.dmp

memory/4272-171-0x0000000005C80000-0x0000000005C95000-memory.dmp

memory/4636-173-0x0000000005A80000-0x0000000005DD7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5e2304f20ce93f1c9890257fa9669da7
SHA1 f83251ede8f0e686d9ddac74875d60460b7ab5a9
SHA256 df4650aa0903f8be5edcf56e1df4623f83d1fff9b8ca6b2c97291e3556147538
SHA512 7a13461ff4538635c0f64ff56d3cab9e34d7f84822542bb53259fde9c366ac7d305c0ab1b27c0a43333ecd4cee36455f6c537d055893d18bd1f7d93d84d7b6cc

memory/4636-183-0x0000000070F20000-0x0000000070F6C000-memory.dmp

memory/4636-184-0x0000000071170000-0x00000000714C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/396-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2012-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2012-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5096-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/396-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5096-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/396-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/396-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5096-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/396-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/396-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/396-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/396-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/396-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/396-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/396-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/396-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/396-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:29

Reported

2024-05-16 12:31

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\system32\cmd.exe
PID 3648 wrote to memory of 4436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3648 wrote to memory of 4436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1692 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\rss\csrss.exe
PID 1692 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\rss\csrss.exe
PID 1692 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe C:\Windows\rss\csrss.exe
PID 4160 wrote to memory of 4892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 4892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 4892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 3216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 3216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 3216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 5072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 5072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 5072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 2348 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4160 wrote to memory of 2348 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 540 wrote to memory of 4564 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 4564 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 4564 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4564 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4564 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe

"C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe

"C:\Users\Admin\AppData\Local\Temp\bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 16c02a1b-3f24-4406-a089-69141b1ad4f9.uuid.dumppage.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server4.dumppage.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.111:443 server4.dumppage.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server4.dumppage.org tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
BG 185.82.216.111:443 server4.dumppage.org tcp

Files

memory/2552-1-0x0000000002930000-0x0000000002D37000-memory.dmp

memory/2552-2-0x0000000002D40000-0x000000000362B000-memory.dmp

memory/2552-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2236-4-0x000000007427E000-0x000000007427F000-memory.dmp

memory/2236-5-0x0000000002810000-0x0000000002846000-memory.dmp

memory/2236-6-0x0000000074270000-0x0000000074A20000-memory.dmp

memory/2236-7-0x00000000050F0000-0x0000000005718000-memory.dmp

memory/2236-8-0x0000000074270000-0x0000000074A20000-memory.dmp

memory/2236-9-0x0000000004F40000-0x0000000004F62000-memory.dmp

memory/2236-10-0x0000000005720000-0x0000000005786000-memory.dmp

memory/2236-11-0x0000000005790000-0x00000000057F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_epukixhv.cys.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2236-21-0x0000000005800000-0x0000000005B54000-memory.dmp

memory/2236-22-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

memory/2236-23-0x0000000005E30000-0x0000000005E7C000-memory.dmp

memory/2236-24-0x0000000006360000-0x00000000063A4000-memory.dmp

memory/2236-25-0x0000000007120000-0x0000000007196000-memory.dmp

memory/2236-26-0x0000000007820000-0x0000000007E9A000-memory.dmp

memory/2236-27-0x00000000071C0000-0x00000000071DA000-memory.dmp

memory/2236-29-0x0000000070110000-0x000000007015C000-memory.dmp

memory/2236-28-0x0000000007370000-0x00000000073A2000-memory.dmp

memory/2236-30-0x00000000704C0000-0x0000000070814000-memory.dmp

memory/2236-42-0x00000000073D0000-0x0000000007473000-memory.dmp

memory/2236-41-0x00000000073B0000-0x00000000073CE000-memory.dmp

memory/2236-43-0x0000000074270000-0x0000000074A20000-memory.dmp

memory/2236-40-0x0000000074270000-0x0000000074A20000-memory.dmp

memory/2236-44-0x00000000074C0000-0x00000000074CA000-memory.dmp

memory/2236-45-0x00000000075D0000-0x0000000007666000-memory.dmp

memory/2236-46-0x00000000074F0000-0x0000000007501000-memory.dmp

memory/2236-47-0x0000000007540000-0x000000000754E000-memory.dmp

memory/2236-48-0x0000000007550000-0x0000000007564000-memory.dmp

memory/2236-49-0x00000000075A0000-0x00000000075BA000-memory.dmp

memory/2236-50-0x0000000007590000-0x0000000007598000-memory.dmp

memory/2236-53-0x0000000074270000-0x0000000074A20000-memory.dmp

memory/1692-55-0x0000000002950000-0x0000000002D56000-memory.dmp

memory/2552-56-0x0000000002930000-0x0000000002D37000-memory.dmp

memory/2552-57-0x0000000002D40000-0x000000000362B000-memory.dmp

memory/1692-58-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/2552-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1272-60-0x0000000005A10000-0x0000000005D64000-memory.dmp

memory/1272-70-0x0000000070110000-0x000000007015C000-memory.dmp

memory/1272-71-0x0000000070890000-0x0000000070BE4000-memory.dmp

memory/1272-81-0x0000000007220000-0x00000000072C3000-memory.dmp

memory/1272-82-0x0000000007550000-0x0000000007561000-memory.dmp

memory/1272-83-0x00000000075A0000-0x00000000075B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9630d79833dee6a436ca6aeec47949d9
SHA1 8f38d1e7e2c3bc9d40659bc514712193cf1e7ec0
SHA256 674e0da41bce52ec1051d631dc63eda7ca110b4b6d2e81897b81d62e9927ba5a
SHA512 894c51f7e9fddb1792717ca2a4abf72a3c26b25b5bb2a27e33752bc3416a3a140f655ad09b1e81941975f6db8585dfce9163753bb0d912ac3d43ef76583b7819

memory/1808-97-0x0000000070110000-0x000000007015C000-memory.dmp

memory/1808-98-0x0000000070890000-0x0000000070BE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e00753d4c445079ce0a49988a098434c
SHA1 2e995c08274650b1efb0233b0192d6adcff10414
SHA256 28883f5cb7167a01f1013ae6622b9026799057d2df683d37ff8e18a5cbc45d66
SHA512 82f046e60a7fbb2ec8d4b1952c4f51fada3bbb872c6b5ce9c95ea4f2a1850a5e7ca8f1f2094b797eb71739e8322b27e0af9925ec4d3c87139c8b10edc3fb186a

memory/4292-120-0x0000000070890000-0x0000000070BE4000-memory.dmp

memory/4292-119-0x0000000070110000-0x000000007015C000-memory.dmp

memory/1692-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 98ac0a84afbade3abe697e307d07f043
SHA1 1444bb2cf0bd5ddfa6a7e1e2a3efd1d4c26880e6
SHA256 bb35e477c67625ca65353ea9fe3c3267bfe4d92d3f31a8e13665e193db1ead58
SHA512 e974cf68edf1c91dce1b2faa50867b424bff8b95090307e238bf0fec1ff28e9f8ecb0004d02c376f360452e5c1b4acc0b63749a40a0c58d486d0690dce631563

memory/1692-135-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4892-147-0x00000000062C0000-0x0000000006614000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c40b830d203d5e830f9deafc09d30427
SHA1 855c4f33e719eff1a477eb219afb3cf7f6d8f224
SHA256 687f0e0b7bf6ba8229e6468dc93d542cad93fb3c1f416f402b5b2eebc7a6fe0d
SHA512 81cbb01a503418e4a9c1ff9ce202cf7c567ff7eb1bb8eee56f8acf57487f91bd0939601e4e7c10ab6297fa5eea6bddb054a0bf560bb2de7b3dfef5b4f89fbac5

memory/4892-150-0x00000000702B0000-0x0000000070604000-memory.dmp

memory/4892-149-0x0000000070110000-0x000000007015C000-memory.dmp

memory/3216-167-0x0000000005960000-0x0000000005CB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3a9084902b7c0f2a1e4ab4f045779fb3
SHA1 1dd68d81b4a3400f20b12684771846031b9cd1df
SHA256 a65bacd92eb333d19d85b1b57f3f2d53e67bdc5d704ebd035e15002ff491b681
SHA512 c01e1e564508265858a8978b5a6ec69f1e5075978ac56e73baf0144c8661c8191b93adf5a17f85109493db8b0b1f7dc3f0e7541736d9a4ace4ba58063c49661b

memory/3216-173-0x0000000006090000-0x00000000060DC000-memory.dmp

memory/3216-174-0x0000000070030000-0x000000007007C000-memory.dmp

memory/3216-175-0x00000000707C0000-0x0000000070B14000-memory.dmp

memory/3216-185-0x0000000007260000-0x0000000007303000-memory.dmp

memory/3216-186-0x0000000007440000-0x0000000007451000-memory.dmp

memory/3216-187-0x0000000005E30000-0x0000000005E44000-memory.dmp

memory/5072-198-0x0000000005AF0000-0x0000000005E44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 970f81659a580eca57d28786cecd8613
SHA1 d6eef6652f57647e958186e15f9e4cb932ff3b00
SHA256 476371eca9e31aae73ed1ef109be14142ca21bb397ef91ec9d6c3774654e11db
SHA512 ce9702b1af840924190ec92df300f07b4e64102711b9fe66fc1b14a45b4a8efdf98224e745b2061f3943ee804d05bf9e2f5b2e5c0ebe1e73f828aa59546dc703

memory/5072-200-0x0000000070030000-0x000000007007C000-memory.dmp

memory/5072-201-0x00000000701B0000-0x0000000070504000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4160-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/540-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4792-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4160-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/540-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4160-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4792-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4160-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4792-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4160-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4160-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4160-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4160-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4160-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4160-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4160-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4160-258-0x0000000000400000-0x0000000000D1C000-memory.dmp