Malware Analysis Report

2024-12-08 02:15

Sample ID 240516-ptzrlsch3v
Target e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41
SHA256 e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41

Threat Level: Known bad

The file e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:37

Reported

2024-05-16 12:40

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4428 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\system32\cmd.exe
PID 2916 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\system32\cmd.exe
PID 4360 wrote to memory of 4668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4360 wrote to memory of 4668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2916 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\rss\csrss.exe
PID 2916 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\rss\csrss.exe
PID 2916 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\rss\csrss.exe
PID 4744 wrote to memory of 4368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4744 wrote to memory of 4368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4744 wrote to memory of 4368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4744 wrote to memory of 4652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4744 wrote to memory of 4652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4744 wrote to memory of 4652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4744 wrote to memory of 3208 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4744 wrote to memory of 3208 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4744 wrote to memory of 3208 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4744 wrote to memory of 1140 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4744 wrote to memory of 1140 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4664 wrote to memory of 4772 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4664 wrote to memory of 4772 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4664 wrote to memory of 4772 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4772 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4772 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe

"C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe

"C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0bdf27a1-9d19-4202-935a-6148924dcadd.uuid.datadumpcloud.org udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server16.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun2.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server16.datadumpcloud.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
BG 185.82.216.104:443 server16.datadumpcloud.org tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BG 185.82.216.104:443 server16.datadumpcloud.org tcp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
BG 185.82.216.104:443 server16.datadumpcloud.org tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/4428-1-0x0000000002920000-0x0000000002D20000-memory.dmp

memory/4428-2-0x0000000002D20000-0x000000000360B000-memory.dmp

memory/4428-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2312-4-0x000000007445E000-0x000000007445F000-memory.dmp

memory/2312-5-0x0000000003160000-0x0000000003196000-memory.dmp

memory/2312-6-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/2312-7-0x00000000059E0000-0x0000000006008000-memory.dmp

memory/2312-8-0x0000000005880000-0x00000000058A2000-memory.dmp

memory/2312-9-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/2312-11-0x00000000060F0000-0x0000000006156000-memory.dmp

memory/2312-10-0x0000000006080000-0x00000000060E6000-memory.dmp

memory/2312-12-0x0000000006160000-0x00000000064B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_juqlt4n5.0hv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2312-22-0x0000000006750000-0x000000000676E000-memory.dmp

memory/2312-23-0x00000000067E0000-0x000000000682C000-memory.dmp

memory/2312-24-0x0000000006CA0000-0x0000000006CE4000-memory.dmp

memory/2312-25-0x0000000007870000-0x00000000078E6000-memory.dmp

memory/2312-26-0x0000000008170000-0x00000000087EA000-memory.dmp

memory/2312-27-0x0000000007B10000-0x0000000007B2A000-memory.dmp

memory/2312-30-0x00000000702F0000-0x000000007033C000-memory.dmp

memory/2312-28-0x0000000007CB0000-0x0000000007CE2000-memory.dmp

memory/2312-29-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/2312-31-0x0000000070A90000-0x0000000070DE4000-memory.dmp

memory/2312-41-0x0000000007CF0000-0x0000000007D0E000-memory.dmp

memory/2312-42-0x0000000007D10000-0x0000000007DB3000-memory.dmp

memory/2312-43-0x0000000007E00000-0x0000000007E0A000-memory.dmp

memory/2312-44-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/2312-45-0x0000000007ED0000-0x0000000007F66000-memory.dmp

memory/2312-46-0x0000000007E30000-0x0000000007E41000-memory.dmp

memory/2312-47-0x0000000007E70000-0x0000000007E7E000-memory.dmp

memory/2312-48-0x0000000007E80000-0x0000000007E94000-memory.dmp

memory/2312-49-0x0000000007F70000-0x0000000007F8A000-memory.dmp

memory/2312-50-0x0000000007EB0000-0x0000000007EB8000-memory.dmp

memory/2312-53-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/2916-55-0x0000000002920000-0x0000000002D27000-memory.dmp

memory/1168-56-0x0000000005ED0000-0x0000000006224000-memory.dmp

memory/1168-66-0x00000000702F0000-0x000000007033C000-memory.dmp

memory/1168-67-0x0000000070A70000-0x0000000070DC4000-memory.dmp

memory/1168-77-0x0000000007740000-0x00000000077E3000-memory.dmp

memory/1168-78-0x0000000007A80000-0x0000000007A91000-memory.dmp

memory/1168-79-0x0000000007AD0000-0x0000000007AE4000-memory.dmp

memory/4428-83-0x0000000002920000-0x0000000002D20000-memory.dmp

memory/4428-82-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4428-84-0x0000000002D20000-0x000000000360B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 920bb478ea3404cab929923dacd33576
SHA1 723637c9bc4899a2ace11f8e7afede8b2391bd08
SHA256 752b4ed8fd475301df947a4e9e9d59fe1413881886b475424bc69ef8ca5eefda
SHA512 71dd35fd39cf4d264f7544784d3459deada6645883cc9ffc6db3c0d3558e38d7045a2ffea45f076a34aa1eb05ea2e6d28bdce415ff5398c53ff8c524039632be

memory/4964-96-0x00000000702F0000-0x000000007033C000-memory.dmp

memory/4964-97-0x0000000070A70000-0x0000000070DC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 56e13dbd58e7872d8d7105ed8adae0f7
SHA1 ef2cdd010a7d6839d7e8f2dea2c9f61c3cf8c525
SHA256 8f2addddb9d247721ebff15ade06be1b7b4b7bf6a4689daca0777af528307baf
SHA512 3ca2d918af7d468a2367db319fcd5b38b8a48705d961d535934664652dd56085bfd9126f1c5a8e1ed65e2c432d5fa573071d50d19705125891f0755d302ad00f

memory/2868-118-0x00000000702F0000-0x000000007033C000-memory.dmp

memory/2868-119-0x0000000070A70000-0x0000000070DC4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ba96e75839abfa65e0c6b234f3862fcb
SHA1 c367332a9b0933faf057d62a0e773981502f2e96
SHA256 e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41
SHA512 ca7dbc04a3872bd95960ad32b1a3759c304d30491ea5048388c7cbc50d2e26791474815bd155d654258cf64359eebbd053c421422a3e5c5358c1ceefca71a797

memory/2916-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 72c7b2c9c97093c9b708429d06ccb87a
SHA1 71211c7fb4b1a3c645eb2d91f2f01991b8c4f413
SHA256 2bdf0f0b834ac73229a9919bbc27e8559a8886f73050841d9209c0a2e04ac945
SHA512 177885c568829f09caa9f79a6a44671dde0f7854f5d967d2acec4fe85d2e03c96bc2a0138437abf2766616f00d5e6f176c6ba7864bffb3d24bc93a7df5648291

memory/4368-146-0x00000000702F0000-0x000000007033C000-memory.dmp

memory/4368-147-0x0000000070A70000-0x0000000070DC4000-memory.dmp

memory/4652-158-0x0000000005A00000-0x0000000005D54000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9deaadeacb6b76c52b2de9fc3e27d39a
SHA1 0c2bfa1f6104911d85705192b704f3091531cf3e
SHA256 d6d1ccbad25fe7aa9b216ebe2e387f0f6169fea10d38dba06860577271a3db28
SHA512 82b3a16a39d790edcddf24d2a6ecce9b95d9b06717fce1f128624837331deb4893dcd2cd1c8264a21189fc418fb60c8a09b06d3a3678a0413e4db5b263c319ed

memory/4652-169-0x0000000006420000-0x000000000646C000-memory.dmp

memory/4652-172-0x00000000709A0000-0x0000000070CF4000-memory.dmp

memory/4652-171-0x0000000070210000-0x000000007025C000-memory.dmp

memory/4652-182-0x0000000007170000-0x0000000007213000-memory.dmp

memory/4652-183-0x0000000007470000-0x0000000007481000-memory.dmp

memory/4652-184-0x0000000005250000-0x0000000005264000-memory.dmp

memory/4744-186-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4664-196-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3532-199-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4664-200-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4744-201-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3532-204-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4744-203-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4744-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3532-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4744-209-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4744-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4744-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4744-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4744-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4744-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4744-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4744-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4744-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:37

Reported

2024-05-16 12:40

Platform

win11-20240508-en

Max time kernel

149s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1176 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1176 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\system32\cmd.exe
PID 4588 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\system32\cmd.exe
PID 3136 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3136 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4588 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\rss\csrss.exe
PID 4588 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\rss\csrss.exe
PID 4588 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe C:\Windows\rss\csrss.exe
PID 3460 wrote to memory of 2216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 3936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 3936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 3936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 4856 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3460 wrote to memory of 4856 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2080 wrote to memory of 4644 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 4644 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 4644 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4644 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4644 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe

"C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe

"C:\Users\Admin\AppData\Local\Temp\e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 c4836871-62b6-427b-8f2d-d1ec7ae0b357.uuid.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server11.datadumpcloud.org udp
BG 185.82.216.104:443 server11.datadumpcloud.org tcp
US 74.125.250.129:19302 stun3.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.104:443 server11.datadumpcloud.org tcp
BG 185.82.216.104:443 server11.datadumpcloud.org tcp

Files

memory/1176-1-0x0000000002A40000-0x0000000002E39000-memory.dmp

memory/1176-2-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/1176-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2868-4-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

memory/2868-5-0x0000000002AF0000-0x0000000002B26000-memory.dmp

memory/2868-6-0x00000000053D0000-0x00000000059FA000-memory.dmp

memory/2868-7-0x0000000074D80000-0x0000000075531000-memory.dmp

memory/2868-8-0x0000000074D80000-0x0000000075531000-memory.dmp

memory/2868-9-0x0000000005130000-0x0000000005152000-memory.dmp

memory/2868-10-0x0000000005A00000-0x0000000005A66000-memory.dmp

memory/2868-11-0x0000000005A70000-0x0000000005AD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ha2ngzv.eyx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2868-20-0x0000000005AE0000-0x0000000005E37000-memory.dmp

memory/2868-21-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

memory/2868-22-0x0000000006010000-0x000000000605C000-memory.dmp

memory/2868-23-0x0000000006EF0000-0x0000000006F36000-memory.dmp

memory/2868-25-0x0000000070FF0000-0x000000007103C000-memory.dmp

memory/2868-37-0x0000000007450000-0x00000000074F4000-memory.dmp

memory/2868-36-0x0000000074D80000-0x0000000075531000-memory.dmp

memory/2868-35-0x0000000007430000-0x000000000744E000-memory.dmp

memory/2868-26-0x00000000711E0000-0x0000000071537000-memory.dmp

memory/2868-24-0x00000000073D0000-0x0000000007404000-memory.dmp

memory/2868-38-0x0000000074D80000-0x0000000075531000-memory.dmp

memory/2868-40-0x0000000007580000-0x000000000759A000-memory.dmp

memory/2868-39-0x0000000007BC0000-0x000000000823A000-memory.dmp

memory/2868-41-0x00000000075C0000-0x00000000075CA000-memory.dmp

memory/2868-42-0x0000000007680000-0x0000000007716000-memory.dmp

memory/2868-43-0x00000000075F0000-0x0000000007601000-memory.dmp

memory/2868-44-0x0000000007650000-0x000000000765E000-memory.dmp

memory/2868-45-0x0000000007660000-0x0000000007675000-memory.dmp

memory/2868-46-0x0000000007750000-0x000000000776A000-memory.dmp

memory/2868-47-0x0000000007770000-0x0000000007778000-memory.dmp

memory/2868-50-0x0000000074D80000-0x0000000075531000-memory.dmp

memory/4588-52-0x0000000002A30000-0x0000000002E29000-memory.dmp

memory/3628-61-0x0000000005C10000-0x0000000005F67000-memory.dmp

memory/3628-62-0x0000000070FF0000-0x000000007103C000-memory.dmp

memory/3628-63-0x0000000071170000-0x00000000714C7000-memory.dmp

memory/3628-72-0x00000000072C0000-0x0000000007364000-memory.dmp

memory/3628-73-0x00000000075D0000-0x00000000075E1000-memory.dmp

memory/1176-74-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3628-75-0x0000000007620000-0x0000000007635000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/1384-87-0x0000000005E40000-0x0000000006197000-memory.dmp

memory/1176-90-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/1176-89-0x0000000002A40000-0x0000000002E39000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d91c04f2179286d722b6114edeb42143
SHA1 55d981a0241981bea3938848723a6d1b14147a40
SHA256 8eb3688f56a0005bd2bd95028fad835c566983adc0ff07b89fbfd0092bd18512
SHA512 f9c295561636bef69236eabee6404737dc8126d1eeb35b64c98e4705f3e9862438626b0486b74b2d34a32fa87ef301d8e20bce814c8c0761c23ef8db235620f3

memory/1384-92-0x0000000071190000-0x00000000714E7000-memory.dmp

memory/1384-91-0x0000000070FF0000-0x000000007103C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3a0c1d1ff1d8c358d16a55067125dcbe
SHA1 004b5ad828130634d991d800490e4acf1f97f7ae
SHA256 b988d98f37f5d2844ed8022c929a6484b039999cbd1e13ace7fcac2f558d6b0e
SHA512 2db34eeff299f8e5a2ae5108e8293d72f64f85ffb3a8d6f11804a9556864704755625acb5d5f29be58f3210cecb913dfa56dee37fe545b6ffc9c75de1b25bfee

memory/3000-112-0x0000000071170000-0x00000000714C7000-memory.dmp

memory/3000-111-0x0000000070FF0000-0x000000007103C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ba96e75839abfa65e0c6b234f3862fcb
SHA1 c367332a9b0933faf057d62a0e773981502f2e96
SHA256 e800062d562356435e3009315c99038802dfa52c932917785f05e6aea3d46d41
SHA512 ca7dbc04a3872bd95960ad32b1a3759c304d30491ea5048388c7cbc50d2e26791474815bd155d654258cf64359eebbd053c421422a3e5c5358c1ceefca71a797

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8981b78e3fb9f2aab1a10f36c36c40c2
SHA1 3ab2e6e228cd281dbbbab504d7e60a6bd06fda66
SHA256 d0c19c4e6b64ccac87470c045ef8e33f9918367de3475729cbc757cbf9342b52
SHA512 d0cd1248d842f8f8ffdfdc005a8b5f43d25a47c7d9256ccff35ecb44f355856ecc2190bd6a81e12cffb70c99ae50a37cf6196fc9b4f5da49b5dd9fc82c84c7b7

memory/2216-136-0x0000000070FF0000-0x000000007103C000-memory.dmp

memory/2216-137-0x0000000071190000-0x00000000714E7000-memory.dmp

memory/4588-147-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2892-154-0x0000000005DE0000-0x0000000006137000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c7de805c022c5cf641ad9e2b180ce01d
SHA1 495bd8a101d12e844b861aef332f75b732e98880
SHA256 77fa2255fe5084048d49f71d49a1d9f4f9da08947e85c580ec884fe437d9a1e3
SHA512 5212c55a59c6cc70fd5890f9812a3b75c1ee78ed3255bd291fa28ddb2fef008ebdccd806cae14524a3aba4055bcc3d0e6f24222f6646bef5bcca1b8fd16220b9

memory/2892-159-0x0000000006390000-0x00000000063DC000-memory.dmp

memory/2892-160-0x0000000070F10000-0x0000000070F5C000-memory.dmp

memory/2892-161-0x0000000071160000-0x00000000714B7000-memory.dmp

memory/2892-170-0x00000000075B0000-0x0000000007654000-memory.dmp

memory/2892-171-0x00000000078F0000-0x0000000007901000-memory.dmp

memory/2892-172-0x0000000006160000-0x0000000006175000-memory.dmp

memory/3936-182-0x0000000005960000-0x0000000005CB7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0b28ec24a89a82afa4134d89c6820891
SHA1 6b7094be530add12cea0d5220613a1c87142bb1f
SHA256 89b779a825d89cd4dab25add1e20e51ae93a504378acb1bf28bf4c161c66ad1f
SHA512 3d400017476bf53b33db8be1a001752ee63a2e5564c892abf1ac06412d7f36ef944e69dd8daf36b9854a26d54da56d12b12c6a61b1329acca494babe67c9f493

memory/3936-185-0x0000000071090000-0x00000000713E7000-memory.dmp

memory/3936-184-0x0000000070F10000-0x0000000070F5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3460-196-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4588-203-0x0000000002A30000-0x0000000002E29000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2080-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3264-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2080-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3460-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3264-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3460-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3264-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3460-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3460-257-0x0000000000400000-0x0000000000D1C000-memory.dmp