Malware Analysis Report

2024-12-08 02:13

Sample ID 240516-pwbskade54
Target 197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a
SHA256 197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a

Threat Level: Known bad

The file 197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Program crash

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:40

Reported

2024-05-16 12:42

Platform

win10v2004-20240426-en

Max time kernel

102s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3292 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3292 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 636 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 636 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 636 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 636 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\system32\cmd.exe
PID 4672 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4672 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 636 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 636 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 636 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 636 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 636 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 636 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 636 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\rss\csrss.exe
PID 636 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\rss\csrss.exe
PID 636 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\rss\csrss.exe
PID 4116 wrote to memory of 4080 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 4080 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 4080 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 3676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 3676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 3676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 2940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 2940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 2940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 2712 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4116 wrote to memory of 2712 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4872 wrote to memory of 2976 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 2976 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 2976 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2976 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2976 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe

"C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe

"C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.163:443 www.bing.com tcp
US 8.8.8.8:53 163.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.163:443 www.bing.com tcp
US 8.8.8.8:53 ec8da9b6-a346-44ef-9178-eea07c4ff1ac.uuid.dumppage.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server11.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 185.82.216.111:443 server11.dumppage.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server11.dumppage.org tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/3292-1-0x00000000029D0000-0x0000000002DD0000-memory.dmp

memory/3292-2-0x0000000002DD0000-0x00000000036BB000-memory.dmp

memory/3292-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1208-4-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

memory/1208-5-0x00000000046F0000-0x0000000004726000-memory.dmp

memory/1208-7-0x0000000004EB0000-0x00000000054D8000-memory.dmp

memory/1208-6-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/1208-8-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/1208-9-0x0000000004CF0000-0x0000000004D12000-memory.dmp

memory/1208-10-0x0000000004D90000-0x0000000004DF6000-memory.dmp

memory/1208-11-0x0000000004E00000-0x0000000004E66000-memory.dmp

memory/1208-12-0x00000000056E0000-0x0000000005A34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rnrhxj12.j1a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1208-22-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

memory/1208-23-0x0000000005D60000-0x0000000005DAC000-memory.dmp

memory/1208-24-0x0000000006270000-0x00000000062B4000-memory.dmp

memory/1208-25-0x0000000006FF0000-0x0000000007066000-memory.dmp

memory/1208-26-0x00000000076F0000-0x0000000007D6A000-memory.dmp

memory/1208-27-0x0000000007090000-0x00000000070AA000-memory.dmp

memory/1208-28-0x0000000007240000-0x0000000007272000-memory.dmp

memory/1208-29-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/1208-41-0x0000000007280000-0x000000000729E000-memory.dmp

memory/1208-31-0x0000000071340000-0x0000000071694000-memory.dmp

memory/1208-30-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/1208-42-0x00000000072A0000-0x0000000007343000-memory.dmp

memory/1208-43-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/1208-44-0x0000000007390000-0x000000000739A000-memory.dmp

memory/1208-45-0x0000000007450000-0x00000000074E6000-memory.dmp

memory/1208-46-0x00000000073B0000-0x00000000073C1000-memory.dmp

memory/1208-47-0x00000000073F0000-0x00000000073FE000-memory.dmp

memory/1208-48-0x0000000007400000-0x0000000007414000-memory.dmp

memory/1208-49-0x00000000074F0000-0x000000000750A000-memory.dmp

memory/1208-50-0x0000000007430000-0x0000000007438000-memory.dmp

memory/1208-53-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/636-55-0x0000000002970000-0x0000000002D73000-memory.dmp

memory/3712-65-0x0000000005800000-0x0000000005B54000-memory.dmp

memory/3712-66-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/3712-67-0x0000000071360000-0x00000000716B4000-memory.dmp

memory/3712-77-0x0000000007070000-0x0000000007113000-memory.dmp

memory/3712-78-0x0000000007380000-0x0000000007391000-memory.dmp

memory/3712-79-0x00000000073D0000-0x00000000073E4000-memory.dmp

memory/3292-80-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3292-81-0x00000000029D0000-0x0000000002DD0000-memory.dmp

memory/3292-82-0x0000000002DD0000-0x00000000036BB000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1176-95-0x0000000005B60000-0x0000000005EB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 04a7ee1abfc06af27111c28019f3a599
SHA1 d049e935cf3f04ab68f50db3635ef6d48ea19209
SHA256 1f227548a8d56423030757f64de94d97ca72149d5d0aa19d53ac6c150471d1cf
SHA512 cb7a0d3e1bf58a48d778e09beb573784d947a0756d3a1ba627e68319bda60be2791f9425c13074dbb36bb9c1a7d1d88ac21f39b125d25f3152e7f9d3d9bdabef

memory/1176-97-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/1176-98-0x0000000070D40000-0x0000000071094000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2430e615c74e268f7b417eff05248327
SHA1 8b5039e6f4e1ab8647ee9681eef970e877a6697c
SHA256 cff58f89e02dca0a3fbfdf7e168822981b2d72cc4be21dbb5278edb9cbaeae9c
SHA512 35b70af16caa11fc291eb2ff4b3573caf0e1d8756df1f2a0799dc697e8ea88b0746594be971103dd76ac2a8626de7f0cd342fb1785eaf9f2748df7ae7bfa9cf4

memory/2188-119-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/2188-120-0x0000000070D40000-0x0000000071094000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 cc3d17a68c8401c1c4d6cb6b1bd8edd9
SHA1 4fa55cbdf01a5d05d3822e4aa2cce3a7a7abb98b
SHA256 197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a
SHA512 5154ea48a62f5257d056661d5f4700377073c2a58634546f46fcdc1fda6dfb8d466249ed1458ddf44787ad06adf4892e33e275c37d397a7c191aaafd3790f57c

memory/636-134-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3a7d726d7995b031ea86e920552249d5
SHA1 2898cea8a415e4330391aa54e0f1b89fd29d98b2
SHA256 cb206f9c5732e4facb416aa2f41a90f8a0ebf24093d7b0edd263fab2e7dd0879
SHA512 391d80362b13e127972d1385e0ae8fad9af7e4e147b15ea0a42bdee074ed039b468f51b693d3a3a59a0976e5ed1d390d50f0dc5e10799f1be358fb21f6a6bada

memory/4080-147-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/4080-148-0x0000000071340000-0x0000000071694000-memory.dmp

memory/3676-159-0x0000000005960000-0x0000000005CB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 aa5dd32e67b58eceaae4c940fa5d99d3
SHA1 3165fdc3ecd3606d30d32db175a2e75d00c3ecdc
SHA256 cacbcff178f1b65529621ef3d33e17dd2a9c6ecfd9f2b9c5619da8cd663a3392
SHA512 b7ca964820906ac14e73b158106b9939e529bd751337bc460d700b84232a610b195d979b80e97415b3801c4e73bad7da0da1a70ed835139ee76deb90685fce5c

memory/3676-170-0x0000000006290000-0x00000000062DC000-memory.dmp

memory/3676-172-0x0000000070AE0000-0x0000000070B2C000-memory.dmp

memory/3676-173-0x0000000071270000-0x00000000715C4000-memory.dmp

memory/3676-183-0x00000000072A0000-0x0000000007343000-memory.dmp

memory/3676-184-0x0000000007570000-0x0000000007581000-memory.dmp

memory/3676-185-0x0000000005DE0000-0x0000000005DF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 feb9c59967c839305baa222c252c5265
SHA1 493bf7bb31c4e404f10ec5345e1b4ec53f74d3cd
SHA256 25db29cfa39a1dbad144125c9c0a25a4e659ec7fd6bcb843fb3a915a82950065
SHA512 be9c7a8d8f0c2d95f1c2697da6a9d9c82c24fc71f694e26a61ef513effc1efc63818bd04b77fa2e8d6928989885b7b9a45849bdab153929f091d4d94a1791f3d

memory/2940-197-0x0000000070AE0000-0x0000000070B2C000-memory.dmp

memory/2940-198-0x0000000071270000-0x00000000715C4000-memory.dmp

memory/4116-209-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4872-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4872-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2120-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4116-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2120-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4116-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4116-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2120-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4116-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4116-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4116-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4116-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:40

Reported

2024-05-16 12:42

Platform

win11-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\system32\cmd.exe
PID 4968 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\system32\cmd.exe
PID 2472 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2472 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4968 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\rss\csrss.exe
PID 4968 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\rss\csrss.exe
PID 4968 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe C:\Windows\rss\csrss.exe
PID 1400 wrote to memory of 4708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 4708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 4708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 1832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 1832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 1832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 1712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 1712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 1712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 1656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1400 wrote to memory of 1656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1592 wrote to memory of 2476 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 2476 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 2476 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2476 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2476 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe

"C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1928

C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe

"C:\Users\Admin\AppData\Local\Temp\197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 dd81e64e-598c-410a-a441-b5e83bb6fcc1.uuid.dumppage.org udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server15.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.111:443 server15.dumppage.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server15.dumppage.org tcp
BG 185.82.216.111:443 server15.dumppage.org tcp

Files

memory/4416-1-0x0000000002A30000-0x0000000002E29000-memory.dmp

memory/4416-2-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/4416-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4900-4-0x000000007461E000-0x000000007461F000-memory.dmp

memory/4900-5-0x0000000004DE0000-0x0000000004E16000-memory.dmp

memory/4900-6-0x00000000054E0000-0x0000000005B0A000-memory.dmp

memory/4900-7-0x0000000074610000-0x0000000074DC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3v3e1ihw.jtl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4900-14-0x0000000005CC0000-0x0000000005D26000-memory.dmp

memory/4900-15-0x0000000005DA0000-0x0000000005E06000-memory.dmp

memory/4900-8-0x0000000005C10000-0x0000000005C32000-memory.dmp

memory/4900-19-0x0000000074610000-0x0000000074DC1000-memory.dmp

memory/4900-20-0x0000000005E10000-0x0000000006167000-memory.dmp

memory/4900-21-0x0000000006270000-0x000000000628E000-memory.dmp

memory/4900-22-0x00000000062C0000-0x000000000630C000-memory.dmp

memory/4900-23-0x0000000006810000-0x0000000006856000-memory.dmp

memory/4900-25-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/4900-24-0x0000000007690000-0x00000000076C4000-memory.dmp

memory/4900-26-0x0000000074610000-0x0000000074DC1000-memory.dmp

memory/4900-36-0x00000000076F0000-0x000000000770E000-memory.dmp

memory/4900-27-0x0000000070A00000-0x0000000070D57000-memory.dmp

memory/4900-37-0x0000000007710000-0x00000000077B4000-memory.dmp

memory/4900-38-0x0000000007E80000-0x00000000084FA000-memory.dmp

memory/4900-39-0x0000000007830000-0x000000000784A000-memory.dmp

memory/4900-40-0x0000000007870000-0x000000000787A000-memory.dmp

memory/4900-41-0x0000000074610000-0x0000000074DC1000-memory.dmp

memory/4968-43-0x0000000002A20000-0x0000000002E20000-memory.dmp

memory/1232-52-0x0000000006470000-0x00000000067C7000-memory.dmp

memory/1232-53-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/1232-54-0x0000000070A70000-0x0000000070DC7000-memory.dmp

memory/1232-63-0x0000000007BB0000-0x0000000007C54000-memory.dmp

memory/1232-64-0x0000000007FB0000-0x0000000008046000-memory.dmp

memory/1232-65-0x0000000007ED0000-0x0000000007EE1000-memory.dmp

memory/4416-66-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4416-68-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/4416-67-0x0000000002A30000-0x0000000002E29000-memory.dmp

memory/1232-69-0x0000000007F10000-0x0000000007F1E000-memory.dmp

memory/1232-70-0x0000000007F20000-0x0000000007F35000-memory.dmp

memory/1232-71-0x0000000007F60000-0x0000000007F7A000-memory.dmp

memory/1232-72-0x0000000007F80000-0x0000000007F88000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3144-78-0x0000000005780000-0x0000000005AD7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1665990455b8222f0570b0c5c6a0167c
SHA1 ef2d90a2cf000669bb3ebda95912386e97ae5608
SHA256 2d8177cb6ed304eb5de7728586675d18050fe86e9582d785dcc4f94ad67124a2
SHA512 3116529e43a2b238bdd1e7d0d19a381c7755289b1ef2d70c2e2709e897cea13064fa217876dad8070f778ac117fc01a043cbe9157103156e896359aa74ce77ed

memory/3144-86-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/3144-87-0x0000000070A90000-0x0000000070DE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fa18b98c3e702119393ac5ea62e59a9f
SHA1 354d1c5f8e3c8c1db780df898884ac21d05cfeee
SHA256 3935fca35bfa68f40c755a42e76940d2f18ba34475204b4fcbb1e3011d508250
SHA512 f8fae20869513407838e32de29c48049ff6b3d8cf367756a413856e1d5011b982f12dde30dbae25a8585937c628a866be78d85960f8bd03dd1315e03bb3f578f

memory/3468-106-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/3468-107-0x0000000070A00000-0x0000000070D57000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 cc3d17a68c8401c1c4d6cb6b1bd8edd9
SHA1 4fa55cbdf01a5d05d3822e4aa2cce3a7a7abb98b
SHA256 197860a8f2048dd9f14ad1cc4a011bd84a28d0228033854c142ca8075f15f74a
SHA512 5154ea48a62f5257d056661d5f4700377073c2a58634546f46fcdc1fda6dfb8d466249ed1458ddf44787ad06adf4892e33e275c37d397a7c191aaafd3790f57c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3e523222f2217d6b914348158e0c8718
SHA1 46ce719a4a8f804cadc466b128f8025ad4dc4480
SHA256 87e13b430cd9e2040402185c848ce7a609cebe2a997bccee9b75564f24b4a113
SHA512 9d3a568d5aaed78a9e595b4c3df8aa912e5755348a64955506be3f9d988e5d16287a01b7cc54e002faa30fdbba2246023beea0acf66f71905208886a61532d3b

memory/4708-132-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/4968-131-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4708-133-0x0000000070A00000-0x0000000070D57000-memory.dmp

memory/1832-145-0x00000000055F0000-0x0000000005947000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a4a00ac69aa58e46e40b006450b3e925
SHA1 c970932f51ebbb071cca5bb7a035e627c7009664
SHA256 42c86b52e2d95c6cdce3537b30404814b7a0a05013fdf1cbd980b6a88406a266
SHA512 6513fd31c2758f24efb8677c1b65ada0965e3453f498437fe660fa2372dbed18a4b27feb7202be67a844dcdea91a2c573e7cdc1855946a4c115ae6c32407e454

memory/1832-153-0x0000000006090000-0x00000000060DC000-memory.dmp

memory/1832-155-0x00000000709F0000-0x0000000070D47000-memory.dmp

memory/1832-154-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/1832-164-0x0000000006D40000-0x0000000006DE4000-memory.dmp

memory/1832-166-0x00000000070B0000-0x00000000070C1000-memory.dmp

memory/1832-167-0x0000000004F60000-0x0000000004F75000-memory.dmp

memory/1712-177-0x0000000005EB0000-0x0000000006207000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7e12eb19c650d212eb5082913ddd5ec0
SHA1 9957c8042a1185060781ab59f6a0111de2dc4b73
SHA256 50948de901dcab0ce0bfbbc2992a8a235a4bce8c58a10f8cf9f2217b84dfc21d
SHA512 d23c4dce89cf7cdc774afb05ae2d58520dc70c36facd27ab859cd26716deff748900291c8d5e2b329343e055c73fd66c6b48f944f7a6b9b1fa566109089ddc07

memory/1712-179-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/1712-180-0x0000000070920000-0x0000000070C77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1400-196-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4968-198-0x0000000002A20000-0x0000000002E20000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1592-203-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3896-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1592-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1400-209-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3896-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1400-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1400-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3896-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1400-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1400-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1400-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1400-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1400-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1400-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1400-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1400-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1400-253-0x0000000000400000-0x0000000000D1C000-memory.dmp