Malware Analysis Report

2024-12-08 02:20

Sample ID 240516-s8fh3abg8y
Target 898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022
SHA256 898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022

Threat Level: Known bad

The file 898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Program crash

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:47

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:47

Reported

2024-05-16 15:50

Platform

win11-20240508-en

Max time kernel

149s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\system32\cmd.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 3660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2392 wrote to memory of 3660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1744 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\rss\csrss.exe
PID 1744 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\rss\csrss.exe
PID 1744 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\rss\csrss.exe
PID 3836 wrote to memory of 1172 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3836 wrote to memory of 1172 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3836 wrote to memory of 1172 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3836 wrote to memory of 1576 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3836 wrote to memory of 1576 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3836 wrote to memory of 1576 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3836 wrote to memory of 4036 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3836 wrote to memory of 4036 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3836 wrote to memory of 4036 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3836 wrote to memory of 4884 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3836 wrote to memory of 4884 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3328 wrote to memory of 3388 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 3388 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 3388 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3388 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3388 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3388 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe

"C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1304 -ip 1304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1876

C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe

"C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 447065bd-3e0a-4cd4-9e57-6b09a03011c1.uuid.alldatadump.org udp
US 8.8.8.8:53 server1.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server1.alldatadump.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.108:443 server1.alldatadump.org tcp
BG 185.82.216.108:443 server1.alldatadump.org tcp

Files

memory/2912-1-0x0000000002A20000-0x0000000002E19000-memory.dmp

memory/2912-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/2912-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1304-4-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

memory/1304-5-0x00000000048D0000-0x0000000004906000-memory.dmp

memory/1304-6-0x0000000004FC0000-0x00000000055EA000-memory.dmp

memory/1304-7-0x0000000073F50000-0x0000000074701000-memory.dmp

memory/1304-8-0x0000000073F50000-0x0000000074701000-memory.dmp

memory/1304-9-0x0000000005620000-0x0000000005642000-memory.dmp

memory/1304-10-0x00000000057C0000-0x0000000005826000-memory.dmp

memory/1304-11-0x0000000005830000-0x0000000005896000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xl1nwe2j.mkd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1304-20-0x00000000058A0000-0x0000000005BF7000-memory.dmp

memory/1304-21-0x0000000005D80000-0x0000000005D9E000-memory.dmp

memory/1304-22-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

memory/1304-23-0x00000000062F0000-0x0000000006336000-memory.dmp

memory/1304-24-0x0000000007190000-0x00000000071C4000-memory.dmp

memory/1304-25-0x00000000701C0000-0x000000007020C000-memory.dmp

memory/1304-35-0x00000000071F0000-0x000000000720E000-memory.dmp

memory/1304-26-0x0000000070340000-0x0000000070697000-memory.dmp

memory/1304-37-0x0000000007210000-0x00000000072B4000-memory.dmp

memory/1304-36-0x0000000073F50000-0x0000000074701000-memory.dmp

memory/1304-38-0x0000000007980000-0x0000000007FFA000-memory.dmp

memory/1304-39-0x0000000007340000-0x000000000735A000-memory.dmp

memory/1304-40-0x0000000007380000-0x000000000738A000-memory.dmp

memory/1304-41-0x0000000073F50000-0x0000000074701000-memory.dmp

memory/1744-43-0x0000000002A20000-0x0000000002E20000-memory.dmp

memory/2412-52-0x0000000006220000-0x0000000006577000-memory.dmp

memory/2412-53-0x00000000701C0000-0x000000007020C000-memory.dmp

memory/2412-54-0x0000000070410000-0x0000000070767000-memory.dmp

memory/2412-63-0x0000000007950000-0x00000000079F4000-memory.dmp

memory/2412-64-0x0000000007D20000-0x0000000007DB6000-memory.dmp

memory/2412-65-0x0000000007C40000-0x0000000007C51000-memory.dmp

memory/2912-66-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2412-67-0x0000000007C80000-0x0000000007C8E000-memory.dmp

memory/2412-68-0x0000000007C90000-0x0000000007CA5000-memory.dmp

memory/2412-69-0x0000000007CD0000-0x0000000007CEA000-memory.dmp

memory/2412-70-0x0000000007CF0000-0x0000000007CF8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2912-74-0x0000000002A20000-0x0000000002E19000-memory.dmp

memory/2912-75-0x0000000002E20000-0x000000000370B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 867520f66d57059efc77aa78ef842d8c
SHA1 89adf4fdb00c99578158e232d0ef3e882cc6728e
SHA256 5dff0e16fe44904e590ece18e8a9223426d3f5930bfe5f21c24b773007e6c48a
SHA512 778a90b6beebd3a9c0c9198eec5d4b80e17ae86abc1a62e7befc2dea6a160ce4b235bfad9b85db195613f128c3ab1c62fa665303ef95782dae5925454a138f65

memory/1344-85-0x00000000701C0000-0x000000007020C000-memory.dmp

memory/1344-86-0x0000000070340000-0x0000000070697000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 80e1dac59550528ed4b1d963eb9d77b1
SHA1 9540cc78ffdd201e4ece359e20fb55dfe2f19bd1
SHA256 ba0c2479ae5144987dabdc978e1343f83b9a70c531243e2ba46371c2ea756e11
SHA512 11ad7e6a5ff6c66b341494ccbeb32113cd85235e5f3ed5f63624382647020a53633dfbf7374cde89e686b1b64b4fd678b7b0123355053225aaf389a341de96e7

memory/3992-105-0x00000000701C0000-0x000000007020C000-memory.dmp

memory/3992-106-0x0000000070340000-0x0000000070697000-memory.dmp

memory/1744-116-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7b32398094b342f21a83147adc173021
SHA1 c3f6bcf1107fed356d05ab81d9cf4d9ce6add8fc
SHA256 898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022
SHA512 47bc6befc79ea8e6be1b06db13a60a7d1bde3b50d9b3abdab97a0a722ba5f215c4054140d8c1bf1aa6a58521d34588da0fe4d865954fce14f6eb61ce588ab4b2

memory/1744-121-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ca340634fd15617188662f0ddc5b0562
SHA1 1fb7fd3b5af30ca8895f8126b6f168a4822ef5d4
SHA256 2da3e9bf5c253b733e26739fbc14b6f1116098c8ac5ec56a760551c71e87804a
SHA512 dc8688950529236f051941bcb4b3957da7b80da7e0768d73a0bcd437be54c25f353f9f1de476a707c62907e3879bf10a2c61fb1b30842fe8271f3d8c86ab0051

memory/1172-133-0x0000000070410000-0x0000000070767000-memory.dmp

memory/1172-132-0x00000000701C0000-0x000000007020C000-memory.dmp

memory/1576-152-0x0000000005820000-0x0000000005B77000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f22673f46ce225fe53b4d15084cf76db
SHA1 7a9ec3869e905a98f9846fdc0485c8a8432d405d
SHA256 5f4a98b79a1479cb8108f43de8e643cf2fc19bec123ba8e57546f8a55125c869
SHA512 959576c3a10e372af53453a0ea248185870132008942ec9c30ffe708f7383fac2e17d875a95556cf776f828677b8829d74ab8082c67211078c8a566b2a3cae9c

memory/1576-154-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

memory/1576-155-0x00000000700E0000-0x000000007012C000-memory.dmp

memory/1576-156-0x0000000070310000-0x0000000070667000-memory.dmp

memory/1576-165-0x0000000007020000-0x00000000070C4000-memory.dmp

memory/1576-166-0x00000000073B0000-0x00000000073C1000-memory.dmp

memory/1576-167-0x0000000005BA0000-0x0000000005BB5000-memory.dmp

memory/4036-177-0x00000000061E0000-0x0000000006537000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9eff236089e25148be12641e76ff9a32
SHA1 c0f29ec5b9fd51edb556269d0360a8a47f006601
SHA256 a4ae5f8963ce217a231f5d4784abe17da9859760e9cb11410e4b7b3b3bd9b149
SHA512 640248e54000ec0a8d7c78e5b97e2d02410c64ee114ff3a68f7acbe4af453abb64a02bbca666ff01fd491ca6b7f832822c0ac8c73d2c6f7a99790151d4f3bd07

memory/4036-180-0x0000000070330000-0x0000000070687000-memory.dmp

memory/4036-179-0x00000000700E0000-0x000000007012C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3836-196-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3328-200-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3116-203-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3328-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3836-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3116-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3836-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3836-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3116-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3836-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3836-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3836-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3836-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3836-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3836-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3836-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3836-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:47

Reported

2024-05-16 15:50

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 444 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 444 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 444 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 444 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\system32\cmd.exe
PID 444 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\system32\cmd.exe
PID 4540 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4540 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 444 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 444 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 444 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 444 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 444 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 444 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 444 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\rss\csrss.exe
PID 444 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\rss\csrss.exe
PID 444 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe C:\Windows\rss\csrss.exe
PID 4284 wrote to memory of 1664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 1664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 1664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 4612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 4612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 4612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 2760 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 2760 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 2760 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 3804 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4284 wrote to memory of 3804 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4376 wrote to memory of 1844 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 1844 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 1844 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1844 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1844 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe

"C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe

"C:\Users\Admin\AppData\Local\Temp\898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
NL 23.62.61.147:443 www.bing.com tcp
US 8.8.8.8:53 147.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 aca311fa-71af-4229-bc7a-09639d3f3ca1.uuid.alldatadump.org udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server11.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server11.alldatadump.org tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server11.alldatadump.org tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BG 185.82.216.108:443 server11.alldatadump.org tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4012-1-0x0000000002A10000-0x0000000002E0F000-memory.dmp

memory/4012-2-0x0000000002E10000-0x00000000036FB000-memory.dmp

memory/4012-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1648-4-0x0000000074F5E000-0x0000000074F5F000-memory.dmp

memory/1648-5-0x0000000005030000-0x0000000005066000-memory.dmp

memory/1648-7-0x0000000005860000-0x0000000005E88000-memory.dmp

memory/1648-6-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/1648-8-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/1648-9-0x0000000005740000-0x0000000005762000-memory.dmp

memory/1648-11-0x0000000005FB0000-0x0000000006016000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hvdgrals.bod.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1648-10-0x0000000005F40000-0x0000000005FA6000-memory.dmp

memory/1648-21-0x0000000006020000-0x0000000006374000-memory.dmp

memory/1648-23-0x00000000066A0000-0x00000000066EC000-memory.dmp

memory/1648-22-0x00000000065F0000-0x000000000660E000-memory.dmp

memory/1648-24-0x0000000006C20000-0x0000000006C64000-memory.dmp

memory/1648-25-0x0000000007930000-0x00000000079A6000-memory.dmp

memory/1648-26-0x0000000008030000-0x00000000086AA000-memory.dmp

memory/1648-27-0x00000000079D0000-0x00000000079EA000-memory.dmp

memory/1648-29-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

memory/1648-42-0x0000000007BF0000-0x0000000007C93000-memory.dmp

memory/1648-40-0x0000000007BD0000-0x0000000007BEE000-memory.dmp

memory/1648-41-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/1648-43-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/1648-30-0x00000000713A0000-0x00000000716F4000-memory.dmp

memory/1648-44-0x0000000007CE0000-0x0000000007CEA000-memory.dmp

memory/1648-28-0x0000000007B90000-0x0000000007BC2000-memory.dmp

memory/1648-45-0x0000000007DA0000-0x0000000007E36000-memory.dmp

memory/1648-46-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/1648-47-0x0000000007D00000-0x0000000007D11000-memory.dmp

memory/1648-48-0x0000000007D40000-0x0000000007D4E000-memory.dmp

memory/1648-49-0x0000000007D50000-0x0000000007D64000-memory.dmp

memory/1648-50-0x0000000007E40000-0x0000000007E5A000-memory.dmp

memory/1648-51-0x0000000007D90000-0x0000000007D98000-memory.dmp

memory/1648-54-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/444-56-0x0000000002940000-0x0000000002D3F000-memory.dmp

memory/2984-66-0x0000000005BD0000-0x0000000005F24000-memory.dmp

memory/2984-67-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

memory/2984-68-0x0000000070F70000-0x00000000712C4000-memory.dmp

memory/2984-78-0x00000000072C0000-0x0000000007363000-memory.dmp

memory/4012-80-0x0000000002A10000-0x0000000002E0F000-memory.dmp

memory/4012-79-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4012-81-0x0000000002E10000-0x00000000036FB000-memory.dmp

memory/2984-82-0x0000000007620000-0x0000000007631000-memory.dmp

memory/2984-83-0x0000000007660000-0x0000000007674000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3076-89-0x0000000005A50000-0x0000000005DA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6c79034637d8f54b94b13fbd98e23684
SHA1 46f024e6ce0ec28080b64ba9af57361ba534ea44
SHA256 0074743e349ad2947f2938d89e46eb4322685988398c2a575f18cef04a2946c2
SHA512 2f7e7a041f3db31b45d2b261837fa14d3dec150afa162c774db510740846f9d4c253972f00c3ab62577b46b5c646eef81d9a6f12a994d19dc9b22c6b40269171

memory/3076-98-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

memory/3076-99-0x0000000071590000-0x00000000718E4000-memory.dmp

memory/3456-110-0x0000000005970000-0x0000000005CC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a3e2e75de79ae2de19ff39ad124a2bf2
SHA1 998c3c642776d1d36c998b74c10a51f3af354ea8
SHA256 f25f8d5d3abb76f0b9c9f063605fcb5d34f328c5c3203acd8342ffae2870ef0e
SHA512 81f324978b60a00823a9d4f26cd315963be85e2a128021a7d03be32e1926dce984fd6f6b7d02aa1c32f29de182fd6380a45b6c5cc75e24bed21525c1d045bff2

memory/3456-121-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

memory/3456-122-0x0000000071570000-0x00000000718C4000-memory.dmp

memory/444-132-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7b32398094b342f21a83147adc173021
SHA1 c3f6bcf1107fed356d05ab81d9cf4d9ce6add8fc
SHA256 898e084024ea4f5272bc152aa3eb67d24371d787dff05d7d8b1c3df20949c022
SHA512 47bc6befc79ea8e6be1b06db13a60a7d1bde3b50d9b3abdab97a0a722ba5f215c4054140d8c1bf1aa6a58521d34588da0fe4d865954fce14f6eb61ce588ab4b2

memory/444-137-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 633e705c6e41bd9fb0d66489e9562337
SHA1 c5853c6726d841698a2f369a563d20ffdc779e2d
SHA256 745f287875eb0adfc3a6bca64187c6e218d4e3f19735c672b23c4adf63a8cfb6
SHA512 db3cf3800fcdf1b23adc069babcd00832e6afdda71ca6c30b0db3204b66b3bce47c3759a49179428cf33b8a4cb44a186668895e8a73712fd66d6000604e8eff9

memory/1664-150-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

memory/1664-151-0x0000000071570000-0x00000000718C4000-memory.dmp

memory/4612-172-0x00000000059C0000-0x0000000005D14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 987f99e8f94d4ba3bc63234b45a2649e
SHA1 398eb71561e73e0f631c406a8c9b0611ccb5fbc4
SHA256 bd2042f241314823451e9323a8490d690564d93b6047a1c28929e3a3216fda94
SHA512 0764b1ddfbc53fee4cf0aba36c787d0ffe2e0d560de8b487d8714c2f2d3e08ef698c7308dca60a8cf6db9b9ddbb81738f1b2b91b32f9375d80387f96f0ad112a

memory/4612-174-0x00000000061C0000-0x000000000620C000-memory.dmp

memory/4612-176-0x00000000714A0000-0x00000000717F4000-memory.dmp

memory/4612-175-0x0000000070D10000-0x0000000070D5C000-memory.dmp

memory/4612-186-0x00000000072B0000-0x0000000007353000-memory.dmp

memory/4612-187-0x0000000007620000-0x0000000007631000-memory.dmp

memory/4612-188-0x0000000005E80000-0x0000000005E94000-memory.dmp

memory/2760-199-0x0000000005760000-0x0000000005AB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 06c52477647ec46aa4ef0b6f9b57c297
SHA1 217c232556ca4547db98287e09a36b80cc31722c
SHA256 2695657e4a2dcbd99560c21f25ca1d49a789fe4373cdb1f34c74a1a9b8419e06
SHA512 d5b3a441d1c2eb1bbe38b537222333b64454cc46615dd66dcb86914d7502cc4d1ce53c64a8abd0f40b99232a7d05a10082dbb359f7ce56ac77121e13fb9ceaeb

memory/2760-201-0x0000000070D10000-0x0000000070D5C000-memory.dmp

memory/2760-202-0x0000000070E90000-0x00000000711E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4284-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4376-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4284-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4376-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4284-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2388-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4284-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4284-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2388-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4284-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4284-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4284-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2388-246-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4284-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4284-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4284-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4284-257-0x0000000000400000-0x0000000000D1C000-memory.dmp