Malware Analysis Report

2024-12-08 02:21

Sample ID 240516-wjn1pagf3x
Target 7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece
SHA256 7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece

Threat Level: Known bad

The file 7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Program crash

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 17:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 17:57

Reported

2024-05-16 17:59

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\system32\cmd.exe
PID 1856 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\system32\cmd.exe
PID 4328 wrote to memory of 1444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4328 wrote to memory of 1444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1856 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\rss\csrss.exe
PID 1856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\rss\csrss.exe
PID 1856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\rss\csrss.exe
PID 1260 wrote to memory of 2568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 2568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 2568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 3792 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 3792 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 3792 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 4580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 4580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 4580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 3764 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1260 wrote to memory of 3764 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1972 wrote to memory of 5076 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 5076 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 5076 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5076 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5076 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5076 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe

"C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe

"C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.96:443 www.bing.com tcp
US 8.8.8.8:53 96.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 1f168583-d404-4d9f-b152-6d5556c8fa6b.uuid.dumperstats.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server13.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.111:443 server13.dumperstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server13.dumperstats.org tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BG 185.82.216.111:443 server13.dumperstats.org tcp

Files

memory/2340-1-0x0000000002970000-0x0000000002D78000-memory.dmp

memory/2340-2-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/2340-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/916-4-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

memory/916-5-0x0000000000FD0000-0x0000000001006000-memory.dmp

memory/916-6-0x00000000053A0000-0x00000000059C8000-memory.dmp

memory/916-7-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/916-8-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/916-9-0x00000000051F0000-0x0000000005212000-memory.dmp

memory/916-11-0x0000000005A40000-0x0000000005AA6000-memory.dmp

memory/916-10-0x00000000059D0000-0x0000000005A36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3jvrce0u.pao.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/916-21-0x0000000005AB0000-0x0000000005E04000-memory.dmp

memory/916-22-0x00000000060B0000-0x00000000060CE000-memory.dmp

memory/916-23-0x0000000006170000-0x00000000061BC000-memory.dmp

memory/916-24-0x0000000006630000-0x0000000006674000-memory.dmp

memory/916-25-0x00000000073F0000-0x0000000007466000-memory.dmp

memory/916-26-0x0000000007AF0000-0x000000000816A000-memory.dmp

memory/916-27-0x0000000007490000-0x00000000074AA000-memory.dmp

memory/916-30-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/916-29-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/916-28-0x0000000007640000-0x0000000007672000-memory.dmp

memory/916-31-0x0000000070D30000-0x0000000071084000-memory.dmp

memory/916-42-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/916-41-0x0000000007680000-0x000000000769E000-memory.dmp

memory/916-43-0x00000000076A0000-0x0000000007743000-memory.dmp

memory/916-44-0x0000000007790000-0x000000000779A000-memory.dmp

memory/916-45-0x0000000007850000-0x00000000078E6000-memory.dmp

memory/916-46-0x00000000077B0000-0x00000000077C1000-memory.dmp

memory/916-47-0x00000000077F0000-0x00000000077FE000-memory.dmp

memory/916-48-0x0000000007800000-0x0000000007814000-memory.dmp

memory/916-49-0x00000000078F0000-0x000000000790A000-memory.dmp

memory/916-50-0x0000000007840000-0x0000000007848000-memory.dmp

memory/916-53-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/1856-55-0x0000000002980000-0x0000000002D87000-memory.dmp

memory/2340-56-0x0000000002970000-0x0000000002D78000-memory.dmp

memory/3724-66-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/3724-67-0x0000000070D30000-0x0000000071084000-memory.dmp

memory/3724-77-0x0000000007A10000-0x0000000007AB3000-memory.dmp

memory/3724-78-0x0000000007D60000-0x0000000007D71000-memory.dmp

memory/2340-79-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2340-80-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/3724-81-0x0000000007DD0000-0x0000000007DE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/2404-92-0x0000000006000000-0x0000000006354000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9d202b8f1c008e7d30b1ec5c59c1d4ca
SHA1 82c6e1c9a3f5b87073986d55b16acf0d5ff9c9d7
SHA256 cf24ef69164682e72cf62652b1e3b9209e0d638528c809b6d4f24853d16fc13e
SHA512 855fab974232de75f589b036e378114b4e626c1707082a7ed55bb66f703700b1090f788ebbe7b8db4ccf087ac260ee401c8d009dfa326daa6a37fc7744c7a5fa

memory/2404-97-0x0000000071330000-0x0000000071684000-memory.dmp

memory/2404-96-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a87c367be29c084364c8e445c7252bad
SHA1 b9eb1f9296e141501f91b36b158c653dabd59449
SHA256 4b5fcd7a6336d2807ffc87bbb8de39533cb023583adefaa3d04c53434b111e35
SHA512 11117ea91d8333aa7dea1a9f7bd418edcc9fc189555617676bc7435c1ac52797c987ee869f95d5d0f4d4909380ef1317021c16152e6504504dbb33b1d1208a16

memory/3000-118-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/3000-119-0x0000000071330000-0x0000000071684000-memory.dmp

memory/1856-129-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 82e4b507bad965b84e8ac6b725239d56
SHA1 cf352f5284b0568c68e6f82deb24f54a9c5ba023
SHA256 7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece
SHA512 9190c6151406638fcaeb16a1b2dfc248e8b438695db27a623abcc5e1e926c73a66eaaa2523a178f382a7a684added7dfe2825f4eab046791ef07d03482fa6c05

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8bd712c2095444a963f10fad0b700b5c
SHA1 d849a8ebdc1ab0fb8aac4240dfca9b35f0f0f099
SHA256 46a989c2cf7b5dd0294a41eae153921eec832c63e33d48653bb74caf784077ee
SHA512 fd04b615243a7ac4aad0953f5fbf1b025dcc377a3ff0eac91903453594831c403218c5bc582af00bfb58712c74098ba9f3bd54a724037a6bd1d40ddd0a8555cb

memory/2568-146-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/2568-147-0x0000000070D30000-0x0000000071084000-memory.dmp

memory/3792-165-0x0000000005620000-0x0000000005974000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 04fea51afb3eb347618957278370411b
SHA1 c276aae702a56476ef886902cd60e6fb96459a5c
SHA256 0b4b85267360aaa8fc16472ec8ccabaec54173ef9a593b6391527c2220a521c9
SHA512 219ed4d35fed8fbbbb5fe01ef0030f6149991d9c8b72e25d925552a5986f7843e619742b2fbdef1c39212c0fbe1ef09fb2ec85a8b7f2551ef7bf3a5c62ff225f

memory/3792-170-0x0000000005C80000-0x0000000005CCC000-memory.dmp

memory/3792-171-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/3792-172-0x0000000071260000-0x00000000715B4000-memory.dmp

memory/3792-182-0x0000000006E80000-0x0000000006F23000-memory.dmp

memory/3792-183-0x00000000071F0000-0x0000000007201000-memory.dmp

memory/3792-184-0x0000000004F80000-0x0000000004F94000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 45b1d31ceac663f3bbf9b12a201f5c6b
SHA1 0fcba87379db2a111f42096afea46223d4d3cbb5
SHA256 80ca67d6efb9646af646291cf8a6999f8c454fc290db03f4ff29cde0fb59b4f6
SHA512 c6502e8d9351b5058a5e88301731c8b2be19aff53d055f3cbbaba48c3e30c5f44f65b9b98de3afe4a30cc3947b2980d7b6af0b9a016f3f156186e5e5f03a00a6

memory/4580-196-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/4580-197-0x0000000071260000-0x00000000715B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1260-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1856-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1856-216-0x0000000002980000-0x0000000002D87000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1972-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/696-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1972-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1260-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1260-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/696-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1260-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/696-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1260-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1260-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1260-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1260-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1260-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1260-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1260-261-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1260-267-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 17:57

Reported

2024-05-16 17:59

Platform

win11-20240419-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\system32\cmd.exe
PID 2112 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 232 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2112 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\rss\csrss.exe
PID 2112 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\rss\csrss.exe
PID 2112 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe C:\Windows\rss\csrss.exe
PID 1276 wrote to memory of 3712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 3712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 3712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 3984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 3984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 3984 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 3300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 3300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 3300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 4952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1276 wrote to memory of 4952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1736 wrote to memory of 1844 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 1844 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 1844 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1844 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1844 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe

"C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 792 -ip 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 2328

C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe

"C:\Users\Admin\AppData\Local\Temp\7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 e9e44992-2eb4-423c-a030-3d3623d2fb6d.uuid.dumperstats.org udp
US 8.8.8.8:53 server2.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server2.dumperstats.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server2.dumperstats.org tcp
BG 185.82.216.111:443 server2.dumperstats.org tcp

Files

memory/3008-1-0x0000000002A20000-0x0000000002E26000-memory.dmp

memory/3008-2-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/3008-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/792-4-0x00000000746CE000-0x00000000746CF000-memory.dmp

memory/792-5-0x0000000002CD0000-0x0000000002D06000-memory.dmp

memory/792-6-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/792-7-0x00000000058D0000-0x0000000005EFA000-memory.dmp

memory/792-8-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/792-9-0x0000000005820000-0x0000000005842000-memory.dmp

memory/792-10-0x0000000005F00000-0x0000000005F66000-memory.dmp

memory/792-11-0x0000000005F70000-0x0000000005FD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_si5sdezx.w0j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/792-20-0x0000000005FE0000-0x0000000006337000-memory.dmp

memory/792-21-0x00000000064D0000-0x00000000064EE000-memory.dmp

memory/792-22-0x0000000006500000-0x000000000654C000-memory.dmp

memory/792-23-0x0000000006A40000-0x0000000006A86000-memory.dmp

memory/792-25-0x0000000070930000-0x000000007097C000-memory.dmp

memory/792-24-0x0000000007900000-0x0000000007934000-memory.dmp

memory/792-26-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/792-27-0x0000000070AB0000-0x0000000070E07000-memory.dmp

memory/792-36-0x0000000007940000-0x000000000795E000-memory.dmp

memory/792-37-0x0000000007960000-0x0000000007A04000-memory.dmp

memory/792-38-0x00000000080D0000-0x000000000874A000-memory.dmp

memory/792-39-0x0000000007A90000-0x0000000007AAA000-memory.dmp

memory/792-40-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

memory/792-41-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/2112-43-0x0000000002A40000-0x0000000002E45000-memory.dmp

memory/3068-52-0x0000000070930000-0x000000007097C000-memory.dmp

memory/3068-53-0x0000000070AB0000-0x0000000070E07000-memory.dmp

memory/3068-62-0x0000000007330000-0x00000000073D4000-memory.dmp

memory/3068-63-0x0000000007730000-0x00000000077C6000-memory.dmp

memory/3068-64-0x0000000007650000-0x0000000007661000-memory.dmp

memory/3008-65-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3068-66-0x0000000007690000-0x000000000769E000-memory.dmp

memory/3068-67-0x00000000076A0000-0x00000000076B5000-memory.dmp

memory/3068-68-0x00000000076E0000-0x00000000076FA000-memory.dmp

memory/3068-69-0x0000000007700000-0x0000000007708000-memory.dmp

memory/3008-72-0x0000000002A20000-0x0000000002E26000-memory.dmp

memory/3008-73-0x0000000002E30000-0x000000000371B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 42223ac01d2b06f64794c8c842408b68
SHA1 2fedb1ad9e74f83e7917af1b2e56322c17370788
SHA256 10352ed22c04851b423ff17a2161f70e0b2fe575815fe0db5095c27fd97f557e
SHA512 168591a5d82f6f246159ba971aa6eb5488cb6c54282a3c6dc14336c3a56ef0dd72a9106113663546e160dd1b4555de9f591d5a182ed9b150931f3f83e9e22fbf

memory/2788-84-0x0000000070930000-0x000000007097C000-memory.dmp

memory/2788-85-0x0000000070AB0000-0x0000000070E07000-memory.dmp

memory/572-95-0x0000000005990000-0x0000000005CE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 37c9823fbf086aa6c760614498ebb5c3
SHA1 f20b97e65a0008bd55999edcaca068390b0555be
SHA256 7933a37efc6ea7efd42e20b4b8207582c05a090562591d76683e70e74f7a838c
SHA512 480e4b43e2c5afc56c87011ad66a3cf9f8a2641c8887d597da674c64e1ff98c3fe731703871b46de378a59bee6163e3d69f032ed0903868cdd17ba8eaa6e5e7f

memory/572-106-0x0000000070B80000-0x0000000070ED7000-memory.dmp

memory/572-105-0x0000000070930000-0x000000007097C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 82e4b507bad965b84e8ac6b725239d56
SHA1 cf352f5284b0568c68e6f82deb24f54a9c5ba023
SHA256 7f00d06790fabad2bde9b1ce31bd287216e7e0972041a05fadc909ab63d29ece
SHA512 9190c6151406638fcaeb16a1b2dfc248e8b438695db27a623abcc5e1e926c73a66eaaa2523a178f382a7a684added7dfe2825f4eab046791ef07d03482fa6c05

memory/2112-119-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e5639ad78822fe9bf905ea9183c8e14b
SHA1 8b7f5e5ee47295d2139e82c7eec675fcda1921a0
SHA256 3b9642534a4ed9846e21f1c6355e929b6109d11370bc09b9035e1b618f2825c5
SHA512 699865ba2427ba3915c8205a76131c633a7ba688116a3c61e6c7fde03d1874df401908dc14f4a0e193e9d18e73d00ae07df5739e6f887b3fbab735b4816df974

memory/3712-131-0x0000000070930000-0x000000007097C000-memory.dmp

memory/3712-132-0x0000000070AB0000-0x0000000070E07000-memory.dmp

memory/3984-151-0x0000000005630000-0x0000000005987000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fe8090f7f4e76b260c0ce1d940ee7715
SHA1 daefaac3b9f3833e275489439229471009587d89
SHA256 63cba9557b95812ed9bbb6082d41b2141ad919ae5bd6a5ba049ad54152a5a506
SHA512 2f0ccebafe7ad513aace741dbb1573d7cc22075c06dc460e1d5de6c825bf58f806f45e581c4d239cef68dbc017fe08d5d5c6ef7172daa0bd8fee67a52b8e475f

memory/3984-153-0x0000000006170000-0x00000000061BC000-memory.dmp

memory/3984-155-0x00000000709E0000-0x0000000070D37000-memory.dmp

memory/3984-154-0x0000000070850000-0x000000007089C000-memory.dmp

memory/3984-164-0x0000000006E70000-0x0000000006F14000-memory.dmp

memory/3984-165-0x00000000071D0000-0x00000000071E1000-memory.dmp

memory/3984-166-0x00000000059C0000-0x00000000059D5000-memory.dmp

memory/3300-176-0x00000000061B0000-0x0000000006507000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a7b7e636679757b355dbebcf1d1eb3c4
SHA1 6d4de8b38cd6c72d288436756e0621a367a14057
SHA256 530a0dbbc44382c9ed151a3e903fcf2fa93b5ae936012638ac59fab7b999d099
SHA512 8f13af8bec78f13e700bd1793af57a3a443d2ed682b5b2d9079c38a35ef7f36e4ce37efe7c37807afab60365308b6587b9ab5effe30c70f818743796e3e19338

memory/3300-178-0x0000000070850000-0x000000007089C000-memory.dmp

memory/3300-179-0x00000000709D0000-0x0000000070D27000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1276-195-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1736-199-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1736-203-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1276-204-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2948-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1276-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1276-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2948-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1276-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1276-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1276-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1276-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1276-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1276-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1276-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1276-235-0x0000000000400000-0x0000000000D1C000-memory.dmp