Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-h35wnafa7x
Target 5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f
SHA256 5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f

Threat Level: Known bad

The file 5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 07:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 07:16

Reported

2024-05-17 07:19

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4352 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3384 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3384 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3384 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3384 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\system32\cmd.exe
PID 3384 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\system32\cmd.exe
PID 3044 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3044 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3384 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3384 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3384 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3384 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3384 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3384 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3384 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\rss\csrss.exe
PID 3384 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\rss\csrss.exe
PID 3384 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\rss\csrss.exe
PID 3460 wrote to memory of 2264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2264 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 3964 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 3964 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 3964 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 4692 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 4692 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 4692 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 3768 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3460 wrote to memory of 3768 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4284 wrote to memory of 4660 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4660 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4660 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4660 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4660 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe

"C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe

"C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 8454647f-4eaa-4db7-bb5f-03a43cfd1903.uuid.datadumpcloud.org udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server4.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server4.datadumpcloud.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
BG 185.82.216.104:443 server4.datadumpcloud.org tcp
US 8.8.8.8:53 stun3.l.google.com udp
US 74.125.250.129:19302 stun3.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
BG 185.82.216.104:443 server4.datadumpcloud.org tcp

Files

memory/4352-1-0x0000000004800000-0x0000000004BFC000-memory.dmp

memory/4352-2-0x0000000004C00000-0x00000000054EB000-memory.dmp

memory/4352-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/976-4-0x000000007490E000-0x000000007490F000-memory.dmp

memory/976-5-0x0000000004C90000-0x0000000004CC6000-memory.dmp

memory/976-7-0x0000000005400000-0x0000000005A28000-memory.dmp

memory/976-6-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/976-8-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/976-9-0x00000000053B0000-0x00000000053D2000-memory.dmp

memory/976-10-0x0000000005BA0000-0x0000000005C06000-memory.dmp

memory/976-11-0x0000000005C10000-0x0000000005C76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nquc43df.itc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/976-21-0x0000000005D80000-0x00000000060D4000-memory.dmp

memory/976-22-0x0000000006290000-0x00000000062AE000-memory.dmp

memory/976-23-0x00000000062B0000-0x00000000062FC000-memory.dmp

memory/976-24-0x00000000067E0000-0x0000000006824000-memory.dmp

memory/976-25-0x00000000075F0000-0x0000000007666000-memory.dmp

memory/976-26-0x0000000007CF0000-0x000000000836A000-memory.dmp

memory/976-27-0x00000000075B0000-0x00000000075CA000-memory.dmp

memory/4352-28-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/976-30-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/976-32-0x0000000070920000-0x0000000070C74000-memory.dmp

memory/976-42-0x0000000007840000-0x000000000785E000-memory.dmp

memory/976-31-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/976-29-0x0000000007800000-0x0000000007832000-memory.dmp

memory/976-44-0x0000000007860000-0x0000000007903000-memory.dmp

memory/976-43-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/976-45-0x0000000007940000-0x000000000794A000-memory.dmp

memory/976-46-0x0000000007A50000-0x0000000007AE6000-memory.dmp

memory/976-47-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/976-48-0x0000000007950000-0x0000000007961000-memory.dmp

memory/976-49-0x0000000007990000-0x000000000799E000-memory.dmp

memory/976-50-0x00000000079B0000-0x00000000079C4000-memory.dmp

memory/976-51-0x0000000007A00000-0x0000000007A1A000-memory.dmp

memory/976-52-0x00000000079F0000-0x00000000079F8000-memory.dmp

memory/976-55-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/4352-57-0x0000000004800000-0x0000000004BFC000-memory.dmp

memory/4352-58-0x0000000004C00000-0x00000000054EB000-memory.dmp

memory/4352-60-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4352-59-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3116-70-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/3116-71-0x0000000070920000-0x0000000070C74000-memory.dmp

memory/3116-81-0x00000000077D0000-0x0000000007873000-memory.dmp

memory/3116-82-0x0000000007AE0000-0x0000000007AF1000-memory.dmp

memory/3116-83-0x0000000007B30000-0x0000000007B44000-memory.dmp

memory/3384-86-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2240-97-0x00000000057D0000-0x0000000005B24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 aeaaf64d1d027f7fc6aa1682cee459aa
SHA1 a3bd68ee0ef36c52de84963a7add307262cc9ce2
SHA256 a08ee6c0575bb5420d898af14ea2b422ecab5498469ee54c67d5370506054c6e
SHA512 3a8d532851d7d6dc1919c39bc487b369c4fb8ea11de9605026f9b65946762d1bbaf8a0f5300120aaa47894d4874377ed1f4a5698f118898657408b264a0c225c

memory/2240-99-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/2240-100-0x0000000070F40000-0x0000000071294000-memory.dmp

memory/1784-112-0x00000000057B0000-0x0000000005B04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 548ec90f3a2507dfd896f0ad8199b40c
SHA1 ffd5696fce3f2cc9fce50414945a151ccf003c78
SHA256 15833e98c26cf9445d07d9278278e4c94eb1838f8ff8c0da2b876a39ff72fbb5
SHA512 5ab4a0692b8a07430ea74162ef8e3d22aa6cb273f29dd7d88fadc16aac539cd2af3897e482889d690b79e120f7ccbfe8417a0ec7d00ee89ab29d3e44de36d2e8

memory/1784-123-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/1784-124-0x0000000070F20000-0x0000000071274000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9fa5c0769a1935a9f4d16fe4c771dfd1
SHA1 5abab6bbd908e7fda02488b4b98ad371b2269178
SHA256 5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f
SHA512 9f802ece971efa88125af8aab271c3805b1796e9f793ecba81f84528b298ceb78e7de6ea2c901fd501da88f96a329ec7b15e7c5fbd858bfb2fbeb76f4314b1a3

memory/3384-140-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e8c8968097254ce39a36457cd5f9ff41
SHA1 def8a44b5baf6993dfe23f3a46c499938a1a76bf
SHA256 72f499a53fbdeafc0079f1b875be6b266e1a26ec0571ee4727770f949b43a00a
SHA512 6e71ed3df38d3a55484e229579707a5a21eebf4bb5fd44c29ba23a0f6d40e0f7d465b31eb63d8404203e5bf72791cd366d7eff717934672f4768a0faa734dacb

memory/2264-152-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/2264-153-0x0000000070F20000-0x0000000071274000-memory.dmp

memory/3460-163-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3964-165-0x0000000006120000-0x0000000006474000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 620ccdfbbf1e75cd6a67185f8586d20b
SHA1 3443ae16c20d60d7140353abc44090e2dc22a1fa
SHA256 6feb8edfa9d53698f9ace3a1eaeac8aa5c0daccace27108bac789a2aa5c0af63
SHA512 89f37ceb9ae81058f4877a74ebcee73a8e1021b56a3ca439974fb17f821d7dc928f1c7ea2688944ce29408ff49fa21b488512a365fd9d72721b89e3f538617c2

memory/3964-176-0x0000000006820000-0x000000000686C000-memory.dmp

memory/3964-177-0x00000000706C0000-0x000000007070C000-memory.dmp

memory/3964-178-0x0000000070E50000-0x00000000711A4000-memory.dmp

memory/3964-188-0x00000000079D0000-0x0000000007A73000-memory.dmp

memory/3964-189-0x0000000007D50000-0x0000000007D61000-memory.dmp

memory/3964-191-0x00000000065A0000-0x00000000065B4000-memory.dmp

memory/4692-202-0x0000000005E50000-0x00000000061A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 699cf2cabb03d046a57ea8f65a963334
SHA1 a6a96859c25c8a2a2a7c0065a2498fcaf2afb09e
SHA256 17a622a2b9f9b8abad2cb5f26ac758082f9a4292ada23b44a7de7a57b0797086
SHA512 a45bcd2732c66aa006c9a9e90465f4a6273f531f2b32cb152fabf7ca92c493fd7ece3a3b60d952f4f667261322141332fbfb5664aaf1586b7eaa20c929cf65a4

memory/4692-205-0x0000000070840000-0x0000000070B94000-memory.dmp

memory/4692-204-0x00000000706C0000-0x000000007070C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3460-222-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4284-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/708-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4284-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3460-234-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/708-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3460-238-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3460-242-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/708-245-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3460-246-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3460-250-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3460-254-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3460-258-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3460-262-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3460-266-0x0000000000400000-0x0000000002B0C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 07:16

Reported

2024-05-17 07:19

Platform

win11-20240419-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4440 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\system32\cmd.exe
PID 4472 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\system32\cmd.exe
PID 3916 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3916 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4472 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\rss\csrss.exe
PID 4472 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\rss\csrss.exe
PID 4472 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe C:\Windows\rss\csrss.exe
PID 3284 wrote to memory of 236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3284 wrote to memory of 236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3284 wrote to memory of 236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3284 wrote to memory of 1372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3284 wrote to memory of 1372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3284 wrote to memory of 1372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3284 wrote to memory of 1692 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3284 wrote to memory of 1692 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3284 wrote to memory of 1692 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3284 wrote to memory of 2612 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3284 wrote to memory of 2612 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1508 wrote to memory of 2592 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2592 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2592 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2592 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2592 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe

"C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe

"C:\Users\Admin\AppData\Local\Temp\5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 3ddd32c3-7b56-4b6d-b793-b4bbaa9b01b1.uuid.datadumpcloud.org udp
US 8.8.8.8:53 server14.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.104:443 server14.datadumpcloud.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.104:443 server14.datadumpcloud.org tcp
BG 185.82.216.104:443 server14.datadumpcloud.org tcp

Files

memory/4440-1-0x0000000004900000-0x0000000004CFE000-memory.dmp

memory/4440-2-0x0000000004D00000-0x00000000055EB000-memory.dmp

memory/4440-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2116-4-0x00000000743DE000-0x00000000743DF000-memory.dmp

memory/2116-5-0x00000000027B0000-0x00000000027E6000-memory.dmp

memory/2116-6-0x00000000743D0000-0x0000000074B81000-memory.dmp

memory/2116-7-0x0000000005010000-0x000000000563A000-memory.dmp

memory/2116-8-0x00000000743D0000-0x0000000074B81000-memory.dmp

memory/2116-9-0x0000000004D60000-0x0000000004D82000-memory.dmp

memory/2116-10-0x0000000004E00000-0x0000000004E66000-memory.dmp

memory/2116-11-0x0000000004E70000-0x0000000004ED6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k4dpg1r1.vo4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2116-20-0x0000000005700000-0x0000000005A57000-memory.dmp

memory/2116-21-0x0000000005C20000-0x0000000005C3E000-memory.dmp

memory/2116-22-0x0000000005CC0000-0x0000000005D0C000-memory.dmp

memory/2116-23-0x00000000061E0000-0x0000000006226000-memory.dmp

memory/2116-26-0x0000000070640000-0x000000007068C000-memory.dmp

memory/2116-36-0x0000000007080000-0x000000000709E000-memory.dmp

memory/2116-27-0x0000000070870000-0x0000000070BC7000-memory.dmp

memory/2116-37-0x00000000070A0000-0x0000000007144000-memory.dmp

memory/2116-25-0x0000000006E40000-0x0000000006E74000-memory.dmp

memory/2116-38-0x00000000743D0000-0x0000000074B81000-memory.dmp

memory/2116-39-0x00000000743D0000-0x0000000074B81000-memory.dmp

memory/4440-24-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2116-41-0x00000000071C0000-0x00000000071DA000-memory.dmp

memory/2116-40-0x0000000007810000-0x0000000007E8A000-memory.dmp

memory/2116-42-0x0000000007200000-0x000000000720A000-memory.dmp

memory/2116-43-0x0000000007310000-0x00000000073A6000-memory.dmp

memory/2116-44-0x0000000007220000-0x0000000007231000-memory.dmp

memory/2116-45-0x0000000007290000-0x000000000729E000-memory.dmp

memory/2116-46-0x00000000072A0000-0x00000000072B5000-memory.dmp

memory/2116-47-0x00000000072F0000-0x000000000730A000-memory.dmp

memory/2116-48-0x00000000074B0000-0x00000000074B8000-memory.dmp

memory/2116-51-0x00000000743D0000-0x0000000074B81000-memory.dmp

memory/4440-53-0x0000000004900000-0x0000000004CFE000-memory.dmp

memory/4440-54-0x0000000004D00000-0x00000000055EB000-memory.dmp

memory/776-55-0x0000000005950000-0x0000000005CA7000-memory.dmp

memory/4440-64-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/776-66-0x0000000070890000-0x0000000070BE7000-memory.dmp

memory/776-65-0x0000000070640000-0x000000007068C000-memory.dmp

memory/776-75-0x0000000007080000-0x0000000007124000-memory.dmp

memory/776-76-0x00000000073D0000-0x00000000073E1000-memory.dmp

memory/776-77-0x0000000007420000-0x0000000007435000-memory.dmp

memory/4440-79-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4472-78-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/5000-88-0x0000000006020000-0x0000000006377000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b89fe9d114981dbe50d9e39a6da46d26
SHA1 00f3d62d9852f1bd74435f5893215766986b4468
SHA256 fb7b258f2318cb15e616f41fd000ad3655b60f6a8a59d1fc4dda5e3202866fcb
SHA512 2fac19fa15dae2669bf872f9521100b3a387905171008df5354bca6fd81eaca053ad2566730043b2ab7d1daa36cdac9d0387fd3fbc347c8757d61139cd9113e8

memory/5000-93-0x0000000070640000-0x000000007068C000-memory.dmp

memory/5000-94-0x0000000070850000-0x0000000070BA7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 421f46683b68bf99b97557e23e078efe
SHA1 47bad90b977c83974166a10eaa92ead8d019bf1f
SHA256 1d5958bd76920d63d1c8059e759346f891a01d9b2a20bbead02671c61067a89d
SHA512 cd03197f5d4116fd09437adc18d97ffaef2b89d22a321404eafd6f361dcccfb4ad74b72e873b29c66f0d6a5501c32289a858c83a902d1c18075e1a235b61b2c3

memory/4620-113-0x0000000070640000-0x000000007068C000-memory.dmp

memory/4620-114-0x0000000070890000-0x0000000070BE7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9fa5c0769a1935a9f4d16fe4c771dfd1
SHA1 5abab6bbd908e7fda02488b4b98ad371b2269178
SHA256 5d935093d4e4039eb9a56e013bac410727951581b7a21dc578f8c360f8c9b40f
SHA512 9f802ece971efa88125af8aab271c3805b1796e9f793ecba81f84528b298ceb78e7de6ea2c901fd501da88f96a329ec7b15e7c5fbd858bfb2fbeb76f4314b1a3

memory/4472-130-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/236-140-0x0000000006140000-0x0000000006497000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b131027c87ecac92cd430324e8700644
SHA1 2c84d1e76d1468d1ef54c53d36bf0dd796acc68a
SHA256 c3c7f0e5b608ae298a7cf65a7d42c6d283ab5f189827227881372ee12dc1ecb6
SHA512 3c6c71e3305b6eb6fb67411d9b3d838e5bd00aae7cc108e4f7781cfcfb10c85c6714e3acd7ff7a4874edc1b3a2e9577a2edf373c2efd18180fa56428400dfdbe

memory/3284-142-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/236-144-0x00000000707C0000-0x0000000070B17000-memory.dmp

memory/236-143-0x0000000070640000-0x000000007068C000-memory.dmp

memory/1372-154-0x0000000005D50000-0x00000000060A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 be3f16798378e1db0a14159a9e6273cc
SHA1 aed38b84c8ee90f3080bbdbb6be37b666baffffd
SHA256 552d4cb15dea7337822c34006af5eae22257af007e92e547932f99893572fb7b
SHA512 def454b1c0d4eabfcf0714e98f05157dedb68000eb18f7ba322f61072075efde9ec7f6465f1431b94e03d5c8df495032563261662fdfc1d5dd25ffc9d3616001

memory/1372-164-0x0000000006850000-0x000000000689C000-memory.dmp

memory/1372-166-0x0000000070560000-0x00000000705AC000-memory.dmp

memory/1372-167-0x00000000707B0000-0x0000000070B07000-memory.dmp

memory/1372-176-0x0000000007520000-0x00000000075C4000-memory.dmp

memory/1372-177-0x0000000007710000-0x0000000007721000-memory.dmp

memory/1372-178-0x00000000060D0000-0x00000000060E5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e96f24bfaf5969ab4f4dc11649897fe7
SHA1 3ae93431795aea061a6477eb319e8c97790acba8
SHA256 d47ebaafbea35007821750de4da13e64d597081cc3e89599b72ed801bff5a467
SHA512 975ed7ab63b768b3a0e3b6171b69a85a7ea878019381d0a52ee4dc5af38d85ef735da9e09ba06bc9126a774387a1ef58dcc2eafd68661b934ea543b5f8b81df8

memory/1692-190-0x0000000070560000-0x00000000705AC000-memory.dmp

memory/1692-191-0x00000000707B0000-0x0000000070B07000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3284-206-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1508-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1508-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/836-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3284-218-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/836-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3284-221-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3284-225-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/836-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3284-229-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3284-234-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3284-238-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3284-241-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3284-245-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3284-250-0x0000000000400000-0x0000000002B0C000-memory.dmp