Malware Analysis Report

2024-12-08 02:21

Sample ID 240516-wea82agc5z
Target 06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3
SHA256 06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3

Threat Level: Known bad

The file 06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 17:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 17:49

Reported

2024-05-16 17:52

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\system32\cmd.exe
PID 5084 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\system32\cmd.exe
PID 1684 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1684 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5084 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\rss\csrss.exe
PID 5084 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\rss\csrss.exe
PID 5084 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\rss\csrss.exe
PID 824 wrote to memory of 60 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 60 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 60 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 4980 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 4980 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 4980 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2416 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2416 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2416 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2420 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 824 wrote to memory of 2420 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2040 wrote to memory of 3216 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 3216 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 3216 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3216 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3216 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe

"C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe

"C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 9a5b55f0-ce60-4a57-a15a-5aaf3697380e.uuid.dumppage.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server3.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server3.dumppage.org tcp
US 74.125.250.129:19302 stun4.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
BG 185.82.216.111:443 server3.dumppage.org tcp
BG 185.82.216.111:443 server3.dumppage.org tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
N/A 127.0.0.1:31465 tcp

Files

memory/2012-1-0x00000000029A0000-0x0000000002D9D000-memory.dmp

memory/2012-2-0x0000000002DA0000-0x000000000368B000-memory.dmp

memory/2012-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3120-4-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

memory/3120-5-0x0000000000CE0000-0x0000000000D16000-memory.dmp

memory/3120-6-0x0000000004C60000-0x0000000005288000-memory.dmp

memory/3120-7-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/3120-8-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/3120-9-0x0000000004BC0000-0x0000000004BE2000-memory.dmp

memory/3120-10-0x0000000005390000-0x00000000053F6000-memory.dmp

memory/3120-11-0x0000000005400000-0x0000000005466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_de0p1sim.e3m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3120-21-0x0000000005580000-0x00000000058D4000-memory.dmp

memory/3120-22-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

memory/3120-23-0x0000000005AD0000-0x0000000005B1C000-memory.dmp

memory/3120-24-0x0000000005FD0000-0x0000000006014000-memory.dmp

memory/3120-25-0x0000000006DB0000-0x0000000006E26000-memory.dmp

memory/3120-27-0x0000000006E50000-0x0000000006E6A000-memory.dmp

memory/3120-26-0x00000000074B0000-0x0000000007B2A000-memory.dmp

memory/3120-28-0x0000000007010000-0x0000000007042000-memory.dmp

memory/3120-30-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/3120-29-0x0000000070CB0000-0x0000000070CFC000-memory.dmp

memory/3120-31-0x0000000070E30000-0x0000000071184000-memory.dmp

memory/3120-41-0x0000000007050000-0x000000000706E000-memory.dmp

memory/3120-42-0x0000000007070000-0x0000000007113000-memory.dmp

memory/3120-44-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/3120-43-0x0000000007160000-0x000000000716A000-memory.dmp

memory/3120-45-0x0000000007270000-0x0000000007306000-memory.dmp

memory/3120-46-0x0000000007170000-0x0000000007181000-memory.dmp

memory/3120-47-0x00000000071B0000-0x00000000071BE000-memory.dmp

memory/3120-48-0x00000000071D0000-0x00000000071E4000-memory.dmp

memory/3120-49-0x0000000007220000-0x000000000723A000-memory.dmp

memory/3120-50-0x0000000007210000-0x0000000007218000-memory.dmp

memory/3120-53-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/5084-55-0x0000000002940000-0x0000000002D3F000-memory.dmp

memory/5012-56-0x0000000005860000-0x0000000005BB4000-memory.dmp

memory/5012-67-0x0000000071430000-0x0000000071784000-memory.dmp

memory/5012-66-0x0000000070CB0000-0x0000000070CFC000-memory.dmp

memory/5012-77-0x00000000070C0000-0x0000000007163000-memory.dmp

memory/5012-78-0x00000000073F0000-0x0000000007401000-memory.dmp

memory/5012-79-0x0000000007440000-0x0000000007454000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2012-83-0x00000000029A0000-0x0000000002D9D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e935f63add6f544173f49ef4fdeab017
SHA1 3dfb1ad8d4ed526172243003c13f55dcb9860626
SHA256 64768a7715a9dff20000c95e84167d87ba20a7fd035757bebb372920a9da86cc
SHA512 298a063db13a31ffb5969e329b250efa79813f1104cec5a813d0de882f94bd7c8f2b8f215346096cdbd770e4335ccfbbbbd1c2c759b5650123dfff54aabaf8e6

memory/3008-94-0x0000000070CB0000-0x0000000070CFC000-memory.dmp

memory/3008-95-0x0000000070E30000-0x0000000071184000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3977c8ee4b0c00d6f282a4a47021ae13
SHA1 6337dd688e134e93cae9014e3b51815cf36902fc
SHA256 f0787e236f904b497267e883a8c55a6160ea8d0b85ff1c5b8c2303eb28c81da5
SHA512 26b2f7c60109cb2879d04c78779eefff8934824c2acb8e69b5af8e1dac5650e4d78de004dfa3337788d39bab597e33e7f96ee5871e86000b51265173796e63c2

memory/976-116-0x0000000070CB0000-0x0000000070CFC000-memory.dmp

memory/976-117-0x0000000070E30000-0x0000000071184000-memory.dmp

memory/2012-127-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2012-128-0x0000000002DA0000-0x000000000368B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ee3f2f8c1c8ff732bbe13e2c948bb0ed
SHA1 d0cc2e887b8b32615a9c2e5668924f6eec3e866c
SHA256 06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3
SHA512 0b9a2ebc366bfc4f8d23128e5a36455126ad88e999353ca66456cf77979ae31b7ff7628544156d8f994729777a0c8c56cdbbdb238c5574e5ef544a842294ac47

memory/60-144-0x0000000005A60000-0x0000000005DB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dbd10f96f8b5bb6ef3d4b4e58aeb4b24
SHA1 bb246da8ea5c71ea1074d5c5061a049df1bf6702
SHA256 a93ca180fc779ec2bf84a7f3b783f3e8c9ba05506df1dee0b3a7f0c5d66ea023
SHA512 042a00ea5f914de05f35a61d05226e9d9180ad691d80a1b203240fbec639ae05ad2acf76ec9ecbacea3606794e0d9a09eeba4f185f87c59648800db49c33fcf2

memory/60-146-0x0000000070CB0000-0x0000000070CFC000-memory.dmp

memory/60-147-0x00000000710A0000-0x00000000713F4000-memory.dmp

memory/4980-164-0x0000000005C30000-0x0000000005F84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f680b1529b49de61fb71e2af6f25dbe3
SHA1 c8084308793e0bd5eb68f0915c56d3115890c6bd
SHA256 127f97e5a555ef5a4a69af242151dc46c6d5c4c969e37cde24f1cc0475598923
SHA512 6090ed8f575417f17b75db0e72880ceacfedaa66d0dac099b606a33f1cfac62d084b5561aac0d1423dfc9641668e388297f2adaefdb23bdb0b98164da24a60ca

memory/4980-169-0x0000000006820000-0x000000000686C000-memory.dmp

memory/4980-170-0x0000000070BD0000-0x0000000070C1C000-memory.dmp

memory/4980-171-0x0000000071320000-0x0000000071674000-memory.dmp

memory/4980-181-0x0000000007530000-0x00000000075D3000-memory.dmp

memory/4980-182-0x0000000007860000-0x0000000007871000-memory.dmp

memory/4980-183-0x00000000060E0000-0x00000000060F4000-memory.dmp

memory/5084-184-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2416-195-0x0000000006300000-0x0000000006654000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 390d8b11b833bc674f58c13cb62cc37b
SHA1 421bc9b579267cc3a5e974c53a75d0bb73fccaee
SHA256 a9152217946dd00a497ae5e35f6321c162f319e9a96abb1b0ac95251a1a4d458
SHA512 faf7866bf9b0ed3dd99a5edc6766c78fe54cd02c46812bc7427be49b8b6a6e1966c0626679f2cd33eadc4fc2b12d3bbe6a01d67ac19ef3e57d41f4283bd97288

memory/2416-197-0x0000000070BD0000-0x0000000070C1C000-memory.dmp

memory/2416-198-0x0000000071360000-0x00000000716B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/824-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2040-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5084-220-0x0000000002940000-0x0000000002D3F000-memory.dmp

memory/3840-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2040-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/824-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3840-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/824-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/824-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3840-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/824-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/824-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/824-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/824-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/824-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/824-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/824-264-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/824-268-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/824-272-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 17:49

Reported

2024-05-16 17:52

Platform

win11-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4356 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\system32\cmd.exe
PID 1436 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\system32\cmd.exe
PID 1360 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1360 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1436 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\rss\csrss.exe
PID 1436 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\rss\csrss.exe
PID 1436 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe C:\Windows\rss\csrss.exe
PID 2800 wrote to memory of 3728 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 3728 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 3728 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 3068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 3068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 3068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2712 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2800 wrote to memory of 2712 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1072 wrote to memory of 2300 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 2300 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 2300 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2300 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2300 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe

"C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe

"C:\Users\Admin\AppData\Local\Temp\06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 94cd3d7f-9310-42ab-8075-e04f2d1d1f32.uuid.dumppage.org udp
US 8.8.8.8:53 server11.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.111:443 server11.dumppage.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server11.dumppage.org tcp
BG 185.82.216.111:443 server11.dumppage.org tcp

Files

memory/4356-1-0x0000000002A20000-0x0000000002E1A000-memory.dmp

memory/4356-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/4356-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1820-4-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

memory/1820-5-0x00000000032A0000-0x00000000032D6000-memory.dmp

memory/1820-6-0x0000000005990000-0x0000000005FBA000-memory.dmp

memory/1820-7-0x0000000073F60000-0x0000000074711000-memory.dmp

memory/1820-8-0x0000000073F60000-0x0000000074711000-memory.dmp

memory/1820-9-0x0000000006100000-0x0000000006122000-memory.dmp

memory/1820-11-0x0000000006280000-0x00000000062E6000-memory.dmp

memory/1820-10-0x00000000061A0000-0x0000000006206000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hzuofmf3.5qe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1820-20-0x00000000062F0000-0x0000000006647000-memory.dmp

memory/1820-21-0x0000000006790000-0x00000000067AE000-memory.dmp

memory/1820-22-0x00000000067C0000-0x000000000680C000-memory.dmp

memory/1820-23-0x0000000006CF0000-0x0000000006D36000-memory.dmp

memory/1820-24-0x0000000007B80000-0x0000000007BB4000-memory.dmp

memory/1820-26-0x0000000070360000-0x00000000706B7000-memory.dmp

memory/1820-37-0x0000000007C00000-0x0000000007CA4000-memory.dmp

memory/1820-36-0x0000000073F60000-0x0000000074711000-memory.dmp

memory/1820-38-0x0000000073F60000-0x0000000074711000-memory.dmp

memory/1820-35-0x0000000007BE0000-0x0000000007BFE000-memory.dmp

memory/1820-25-0x00000000701D0000-0x000000007021C000-memory.dmp

memory/1820-40-0x0000000007D20000-0x0000000007D3A000-memory.dmp

memory/1820-39-0x0000000008360000-0x00000000089DA000-memory.dmp

memory/1820-41-0x0000000007D60000-0x0000000007D6A000-memory.dmp

memory/1820-42-0x0000000007E70000-0x0000000007F06000-memory.dmp

memory/1820-43-0x0000000007D80000-0x0000000007D91000-memory.dmp

memory/1820-44-0x0000000007DD0000-0x0000000007DDE000-memory.dmp

memory/1820-45-0x0000000007DE0000-0x0000000007DF5000-memory.dmp

memory/1820-46-0x0000000007E30000-0x0000000007E4A000-memory.dmp

memory/1820-47-0x0000000007E50000-0x0000000007E58000-memory.dmp

memory/1820-50-0x0000000073F60000-0x0000000074711000-memory.dmp

memory/1436-52-0x0000000002AB0000-0x0000000002EAA000-memory.dmp

memory/4584-53-0x0000000005E60000-0x00000000061B7000-memory.dmp

memory/4584-62-0x00000000701D0000-0x000000007021C000-memory.dmp

memory/4584-63-0x0000000070420000-0x0000000070777000-memory.dmp

memory/4584-72-0x0000000007580000-0x0000000007624000-memory.dmp

memory/4584-73-0x00000000078D0000-0x00000000078E1000-memory.dmp

memory/4356-75-0x0000000002A20000-0x0000000002E1A000-memory.dmp

memory/4356-76-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/4356-74-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4584-77-0x0000000007920000-0x0000000007935000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/728-89-0x0000000005820000-0x0000000005B77000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cbdd7354e46e601127826d3d489e9e39
SHA1 908db9b7c03255a66e8944da3ce46091454b030f
SHA256 2bd41c6e2ba44a9fd37c919cbec6bbbd8f6bd27bb6f96867efa8844319bdc175
SHA512 767c803e493130ea38b32d78e9d78f19f238c0a46c7deb3ad571c9825b442052017da6b525519fb00987592571ae8004c7d5ddabca0da4c53e48459ced23af0c

memory/728-92-0x0000000070350000-0x00000000706A7000-memory.dmp

memory/728-91-0x00000000701D0000-0x000000007021C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 094916db2b1e0d2c8b226c231b520690
SHA1 abf7f4e8127d2c90952ce0cb05367645301a0a12
SHA256 1703753bbb9a39b20e97ecd446950bf10329fa0fb563e90ffecf001df7b26938
SHA512 cf12ba659e059d34b2c0a43fff2e5debc555b81b8fd002bc4321a60bafb6e59a411aa24b4aae40976fc9499812ca38a7dbc9bbdbb85c3d44055a10186aad9e7d

memory/4116-111-0x00000000701D0000-0x000000007021C000-memory.dmp

memory/4116-112-0x0000000070420000-0x0000000070777000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ee3f2f8c1c8ff732bbe13e2c948bb0ed
SHA1 d0cc2e887b8b32615a9c2e5668924f6eec3e866c
SHA256 06305185fee4fa912415e86ef7cbc87bcff4ed082c182989ceb84a8d48f49cd3
SHA512 0b9a2ebc366bfc4f8d23128e5a36455126ad88e999353ca66456cf77979ae31b7ff7628544156d8f994729777a0c8c56cdbbdb238c5574e5ef544a842294ac47

memory/1436-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 aca6a5081dabf3d508207ce00ebb1728
SHA1 1c97601daf39e7e62ec2df8286e1ace6b1ac394f
SHA256 15880f984e6f25cc3b75f566585b84267556efef8acfc4bd312c16884d846959
SHA512 702f6292ccc8f5535d2b4985cadcce135f856f6a032a414ba04ff69ea6c0868e750130598c4fd75909d02882d82d41e16c9ede96be03de763d3083bac49cf15c

memory/3728-137-0x00000000701D0000-0x000000007021C000-memory.dmp

memory/3728-138-0x0000000070350000-0x00000000706A7000-memory.dmp

memory/2580-157-0x00000000058D0000-0x0000000005C27000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7d22afc568b943a668f62d959a6bdc05
SHA1 cd45957344b3af885b9a1787c93373ce471aca25
SHA256 62907f7ab820f2b8c067fb91ea2ab18910d1edd5d876de1d781dcd81a27cdce4
SHA512 26cdd2a1727bb2fc364750c3325828d3490de715c0ba9f670c8e42576eb77ca60e00e5fb4f23095ed7f942857f1040e673832cfd3e16150810d2eaa4f2863c3c

memory/2580-159-0x00000000061B0000-0x00000000061FC000-memory.dmp

memory/2580-160-0x00000000700F0000-0x000000007013C000-memory.dmp

memory/2580-161-0x0000000070270000-0x00000000705C7000-memory.dmp

memory/2580-170-0x0000000006FB0000-0x0000000007054000-memory.dmp

memory/2580-171-0x0000000007320000-0x0000000007331000-memory.dmp

memory/2580-172-0x00000000050A0000-0x00000000050B5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 635558627c09940d89406548892a1a59
SHA1 05fe60630ecb8e5d578f29645fdb4c1e11c03909
SHA256 56af1177148248c11b15c056af22112534a0d65d241635e509a5a4401168b63e
SHA512 158087a033ad9040f2a7fc57c111ddea2d8573d8ea4120605d288c491480a2f28f17df05515c6f5dce176369988fd27ba9a30082183b92df0fb5b121434baf2b

memory/3068-183-0x00000000700F0000-0x000000007013C000-memory.dmp

memory/3068-184-0x0000000070270000-0x00000000705C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2800-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1072-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1436-206-0x0000000002AB0000-0x0000000002EAA000-memory.dmp

memory/4784-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1072-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2800-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4784-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2800-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4784-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2800-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2800-257-0x0000000000400000-0x0000000000D1C000-memory.dmp