Malware Analysis Report

2024-12-08 02:20

Sample ID 240516-wdy9gage46
Target 8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310
SHA256 8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310

Threat Level: Known bad

The file 8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 17:49

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 17:49

Reported

2024-05-16 17:51

Platform

win11-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\system32\cmd.exe
PID 3300 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\system32\cmd.exe
PID 492 wrote to memory of 900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 492 wrote to memory of 900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3300 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\rss\csrss.exe
PID 3300 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\rss\csrss.exe
PID 3300 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\rss\csrss.exe
PID 2060 wrote to memory of 1472 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 1472 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 1472 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2444 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 868 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 868 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 868 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 3408 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2060 wrote to memory of 3408 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3696 wrote to memory of 1504 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3696 wrote to memory of 1504 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3696 wrote to memory of 1504 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1504 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1504 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe

"C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe

"C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fd47575b-2c81-4302-8ccf-60bd972ce485.uuid.filesdumpplace.org udp
US 8.8.8.8:53 server15.filesdumpplace.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.96:443 server15.filesdumpplace.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server15.filesdumpplace.org tcp
BG 185.82.216.96:443 server15.filesdumpplace.org tcp

Files

memory/1092-1-0x0000000002A30000-0x0000000002E2D000-memory.dmp

memory/1092-2-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/1092-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5072-4-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

memory/5072-5-0x0000000003080000-0x00000000030B6000-memory.dmp

memory/5072-7-0x0000000074A60000-0x0000000075211000-memory.dmp

memory/5072-6-0x00000000057F0000-0x0000000005E1A000-memory.dmp

memory/5072-9-0x0000000074A60000-0x0000000075211000-memory.dmp

memory/5072-8-0x0000000005780000-0x00000000057A2000-memory.dmp

memory/5072-11-0x0000000006000000-0x0000000006066000-memory.dmp

memory/5072-10-0x0000000005F90000-0x0000000005FF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0sq30jeh.n1x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5072-20-0x0000000006070000-0x00000000063C7000-memory.dmp

memory/5072-21-0x0000000006540000-0x000000000655E000-memory.dmp

memory/5072-22-0x0000000006590000-0x00000000065DC000-memory.dmp

memory/5072-23-0x0000000006970000-0x00000000069B6000-memory.dmp

memory/5072-26-0x0000000070E60000-0x00000000711B7000-memory.dmp

memory/5072-25-0x0000000070CD0000-0x0000000070D1C000-memory.dmp

memory/5072-36-0x00000000079B0000-0x00000000079CE000-memory.dmp

memory/5072-35-0x0000000074A60000-0x0000000075211000-memory.dmp

memory/5072-24-0x0000000007970000-0x00000000079A4000-memory.dmp

memory/5072-37-0x00000000079D0000-0x0000000007A74000-memory.dmp

memory/5072-40-0x0000000074A60000-0x0000000075211000-memory.dmp

memory/5072-39-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

memory/5072-38-0x0000000008140000-0x00000000087BA000-memory.dmp

memory/5072-41-0x0000000007B30000-0x0000000007B3A000-memory.dmp

memory/5072-42-0x0000000007C40000-0x0000000007CD6000-memory.dmp

memory/5072-43-0x0000000007B60000-0x0000000007B71000-memory.dmp

memory/5072-44-0x0000000007BA0000-0x0000000007BAE000-memory.dmp

memory/5072-45-0x0000000007BB0000-0x0000000007BC5000-memory.dmp

memory/5072-46-0x0000000007C00000-0x0000000007C1A000-memory.dmp

memory/5072-47-0x0000000007C20000-0x0000000007C28000-memory.dmp

memory/5072-50-0x0000000074A60000-0x0000000075211000-memory.dmp

memory/3300-52-0x0000000002A20000-0x0000000002E1A000-memory.dmp

memory/1088-61-0x0000000006330000-0x0000000006687000-memory.dmp

memory/1088-62-0x0000000070CD0000-0x0000000070D1C000-memory.dmp

memory/1088-63-0x0000000070E50000-0x00000000711A7000-memory.dmp

memory/1088-72-0x0000000007A50000-0x0000000007AF4000-memory.dmp

memory/1088-73-0x0000000007D70000-0x0000000007D81000-memory.dmp

memory/1092-75-0x0000000002A30000-0x0000000002E2D000-memory.dmp

memory/1092-74-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1092-76-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/1088-77-0x0000000007DC0000-0x0000000007DD5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0601079cbbd1b1cc8155ed4f49eff5fd
SHA1 c8379651603300f83fc130e848e96698e3740a9e
SHA256 eb272eb098c98d874ceda88566693cc707e04c5ce08004a328133d700b5d6d43
SHA512 79b0f7e6620fc22948cb0938ae707ffd407081be677755ae20480b054ed4378f6e8d9a4777d2783ad4522310398ac2925ff79862a67401237c3afeabbbb96436

memory/792-90-0x0000000070CD0000-0x0000000070D1C000-memory.dmp

memory/792-91-0x0000000070E50000-0x00000000711A7000-memory.dmp

memory/4588-109-0x0000000005EB0000-0x0000000006207000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 12ab32226974c0df1895ff1700101f9d
SHA1 21666e429851b4429624e8b26350ae0d41c7012f
SHA256 a82f241f5da86bef0ccd47d70bd4610b866f70e66debd692db51073d81ba424b
SHA512 056974af184caee981e7d2a2768c5ed18d1788f269022335ecaf86996c1f6ea8093a0bc6588c07fbb921b5b6df03aadd2f142d69d7aa09d7c116444067c0277a

memory/4588-111-0x0000000070CD0000-0x0000000070D1C000-memory.dmp

memory/4588-112-0x0000000071610000-0x0000000071967000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 19452d0e4869ee01e7302fe00322651c
SHA1 172a99bfaf09962c33729716f8b55cc43aab4405
SHA256 8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310
SHA512 d3c5c552d070c521739116a6825f04b30a1981b022017e22a00d9c5442f9c8181c81c5ce9df484b4122094e0a25c3799e82b7204308b34dea7cd0d507e97c5aa

memory/3300-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1472-136-0x00000000060A0000-0x00000000063F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e11419a1a127faea8a5ec0da49426aaf
SHA1 5876332f2201cf78155816598b51252c979597b2
SHA256 bf940ed6be5722a8f699a6fcccb227488f170bec117b8050623438c6884894bd
SHA512 f5282cafa11d425f12fc1bc221b3188851029b422b095a17df649f5c84541be642cce26a0f17761c8712ff1cc0984a3b75ebab5152328979c3ec4fc2cd85e88a

memory/1472-138-0x0000000070CD0000-0x0000000070D1C000-memory.dmp

memory/1472-139-0x0000000070EE0000-0x0000000071237000-memory.dmp

memory/2444-157-0x00000000060A0000-0x00000000063F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 174d147b43e21bb7ccb06fd51452eae6
SHA1 9f95ba616c791459f15c5a6db154ad9dfba0f79b
SHA256 359a5f74f82d06f3eab35747ac52114f0688fe0ddd9100ffe948317eca35a71b
SHA512 e6db2fcac2a4b7710f723e5f28b44d67f9ea2b7dcb930056fa956e5ba49eaa4d0f0fa3d0647f1d52214accd7e600a6de1ae134402428761528d18979d143b854

memory/2444-160-0x0000000006680000-0x00000000066CC000-memory.dmp

memory/2444-161-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/2444-162-0x0000000070D70000-0x00000000710C7000-memory.dmp

memory/2444-171-0x0000000007880000-0x0000000007924000-memory.dmp

memory/2444-172-0x0000000007A70000-0x0000000007A81000-memory.dmp

memory/2444-173-0x0000000006420000-0x0000000006435000-memory.dmp

memory/868-180-0x0000000006080000-0x00000000063D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f65cdb49c26ab0bccecbdb6f0f4bc978
SHA1 fc7a7dc1192525d9131e0b2b77d9fac400787cc0
SHA256 84883af6cf668d783096df6c075311550c7569f869ee9cf5d69a0757b2c7dfec
SHA512 975dfa7783c4fb38f17fa89e9f64682ee9a9d98b0f5ae0e9a831ad996d7b9c1728e304d28e087cdcca3313f03a424251ff12ab7a2f7cd0c3db1992bf6efab383

memory/868-185-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/868-186-0x0000000070E40000-0x0000000071197000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2060-202-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3696-206-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4836-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3696-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2060-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4836-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2060-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2060-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4836-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2060-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2060-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2060-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2060-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2060-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2060-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2060-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2060-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2060-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 17:49

Reported

2024-05-16 17:51

Platform

win10v2004-20240508-en

Max time kernel

35s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5056 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5056 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5056 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\system32\cmd.exe
PID 2936 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3756 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2936 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\rss\csrss.exe
PID 2936 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\rss\csrss.exe
PID 2936 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe C:\Windows\rss\csrss.exe
PID 1348 wrote to memory of 3568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 3568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 3568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 1476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 1476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 1476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 228 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 228 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 228 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 1784 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1348 wrote to memory of 1784 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe

"C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe

"C:\Users\Admin\AppData\Local\Temp\8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 146.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 f8dec927-4453-4682-ae04-80fa0873c988.uuid.filesdumpplace.org udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server13.filesdumpplace.org udp
N/A 127.0.0.1:3478 udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server13.filesdumpplace.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp

Files

memory/5056-1-0x00000000029A0000-0x0000000002DA8000-memory.dmp

memory/5056-2-0x0000000002DB0000-0x000000000369B000-memory.dmp

memory/5056-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4344-4-0x000000007403E000-0x000000007403F000-memory.dmp

memory/4344-5-0x0000000005070000-0x00000000050A6000-memory.dmp

memory/4344-6-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/4344-7-0x0000000005720000-0x0000000005D48000-memory.dmp

memory/4344-8-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/4344-9-0x0000000005640000-0x0000000005662000-memory.dmp

memory/4344-10-0x0000000005F40000-0x0000000005FA6000-memory.dmp

memory/4344-11-0x0000000005FB0000-0x0000000006016000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ji1pgdpl.zfq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4344-17-0x0000000006020000-0x0000000006374000-memory.dmp

memory/4344-22-0x0000000006620000-0x000000000663E000-memory.dmp

memory/4344-23-0x00000000066C0000-0x000000000670C000-memory.dmp

memory/4344-24-0x0000000006B80000-0x0000000006BC4000-memory.dmp

memory/4344-25-0x0000000007960000-0x00000000079D6000-memory.dmp

memory/4344-26-0x0000000008060000-0x00000000086DA000-memory.dmp

memory/4344-27-0x00000000079E0000-0x00000000079FA000-memory.dmp

memory/4344-29-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/4344-28-0x0000000007BA0000-0x0000000007BD2000-memory.dmp

memory/4344-30-0x0000000070650000-0x00000000709A4000-memory.dmp

memory/4344-40-0x0000000007BE0000-0x0000000007BFE000-memory.dmp

memory/4344-41-0x0000000007C00000-0x0000000007CA3000-memory.dmp

memory/4344-42-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/4344-43-0x0000000007CF0000-0x0000000007CFA000-memory.dmp

memory/4344-44-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/4344-45-0x0000000007DB0000-0x0000000007E46000-memory.dmp

memory/4344-46-0x0000000007D30000-0x0000000007D41000-memory.dmp

memory/4344-47-0x0000000007D70000-0x0000000007D7E000-memory.dmp

memory/4344-48-0x0000000007D80000-0x0000000007D94000-memory.dmp

memory/4344-49-0x0000000007E70000-0x0000000007E8A000-memory.dmp

memory/4344-50-0x0000000007E50000-0x0000000007E58000-memory.dmp

memory/4344-53-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/2936-55-0x0000000002A20000-0x0000000002E1B000-memory.dmp

memory/5056-56-0x00000000029A0000-0x0000000002DA8000-memory.dmp

memory/5116-66-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/5116-67-0x0000000070650000-0x00000000709A4000-memory.dmp

memory/5116-77-0x0000000007A20000-0x0000000007AC3000-memory.dmp

memory/5116-78-0x0000000007D40000-0x0000000007D51000-memory.dmp

memory/5056-79-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5056-80-0x0000000002DB0000-0x000000000369B000-memory.dmp

memory/5116-81-0x0000000007D90000-0x0000000007DA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1196-94-0x0000000005900000-0x0000000005C54000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 549d21798568622d1c0b3085b38e4a54
SHA1 06ec3f557c471336a9555d80b79ce76fadca20d9
SHA256 c8ad804a8f3ef7ed5fed577dc3a1bf4fdfc089de4a14e7551d9c67ad6cb7348f
SHA512 6e2c07e75f1c6b2003e54d40d6671442750fc1c298afcb8f5f2a69303881aa278b96cc76622c88c3788a7319db28fb97d345d83639da9cc7dfe123b582659160

memory/1196-96-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/1196-97-0x0000000070050000-0x00000000703A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 669d43d17ac3a3fddab103cba1e346f6
SHA1 5e7b86a1ecf021c80acff7e768b317afd8b50527
SHA256 d70d5e377237aec1c3fbfcdb623f6bbf214310c597d7b7f250f6e64242fbd6c1
SHA512 83ea943cb59fc1b92fc6f6f7a0576744cfc171868b22a228989a80ed64547d9c0f5d0d5a8696aca8521e7f60cf604e61757d43c3a07097d3ed36327a90d70ada

memory/4868-118-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/4868-119-0x0000000070050000-0x00000000703A4000-memory.dmp

memory/2936-129-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 19452d0e4869ee01e7302fe00322651c
SHA1 172a99bfaf09962c33729716f8b55cc43aab4405
SHA256 8346a8d9afe2889d9bb1ab1600d3bdc16ab011ef5831acf0bbea36f61683c310
SHA512 d3c5c552d070c521739116a6825f04b30a1981b022017e22a00d9c5442f9c8181c81c5ce9df484b4122094e0a25c3799e82b7204308b34dea7cd0d507e97c5aa

memory/2936-134-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 601b73427022d325b73f0438729b9a45
SHA1 2cd042820239d69d66c403547a5bcb5cd50dbd14
SHA256 ae1d256f0e893e5c058c4322d7f3f280315d82ede5bdae00d4948350d0295a17
SHA512 947e7aeccbc75d3e5fdbf9c7e416dcfa1de5d5f8c8719a90d951a4a2f961bf38db6e1a4c1ec0380d64fc1efa8094162228d8ff7b00d64d5988c8b167e17fb4a1

memory/3568-147-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/3568-148-0x0000000070050000-0x00000000703A4000-memory.dmp

memory/1476-169-0x0000000006440000-0x0000000006794000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2cb040aed788988d18fad8636cce8a82
SHA1 2f8b3b54ee4dec3aabc34d121ee458a7efc767ea
SHA256 b350e936042ff642194c8b582f5bb9c815a96854611e514a17273fb4ac9816e9
SHA512 98b0df6153de618cdd01705d30d1f861f89b663755b724f4db2c3b2c94490fa57c0bfbb4e140aef8cd56bd69fa3d5678bcdb4543b8e946f03378103f200cf8a7

memory/1476-171-0x0000000006BA0000-0x0000000006BEC000-memory.dmp

memory/1476-172-0x000000006FDF0000-0x000000006FE3C000-memory.dmp

memory/1476-173-0x000000006FF70000-0x00000000702C4000-memory.dmp

memory/1476-183-0x0000000007AF0000-0x0000000007B93000-memory.dmp

memory/1476-184-0x0000000007E60000-0x0000000007E71000-memory.dmp

memory/1476-185-0x00000000061D0000-0x00000000061E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 905463c178451057715b028efc7059d2
SHA1 8333d74af68b0c0d953d4c379b3e40b74ce2308b
SHA256 1ebe427448470199d292a94fc033d6fe1a440d2c122995500a593dcf3f24550e
SHA512 0f79fe0ff98645719574ad32928427011100ba9c640f816aed842c2ebc525dab48092ee6d24efc591e16b3833536a43c304f314986be12c233508bdb24e7a603

memory/228-197-0x000000006FDF0000-0x000000006FE3C000-memory.dmp

memory/228-198-0x000000006FF70000-0x00000000702C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1348-214-0x0000000000400000-0x0000000000D1C000-memory.dmp