Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-hyjsmafb69
Target 111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f
SHA256 111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f

Threat Level: Known bad

The file 111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 07:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 07:08

Reported

2024-05-17 07:11

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\system32\cmd.exe
PID 3848 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\system32\cmd.exe
PID 5036 wrote to memory of 428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5036 wrote to memory of 428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3848 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\rss\csrss.exe
PID 3848 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\rss\csrss.exe
PID 3848 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\rss\csrss.exe
PID 3520 wrote to memory of 980 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 980 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 980 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 4712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 4712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 4712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 4924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 4924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 4924 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 3316 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3520 wrote to memory of 3316 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3100 wrote to memory of 1004 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 1004 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 1004 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1004 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1004 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe

"C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe

"C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 070cc6b0-1217-4e57-aade-265c1160a085.uuid.datadumpcloud.org udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server1.datadumpcloud.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
BG 185.82.216.104:443 server1.datadumpcloud.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BG 185.82.216.104:443 server1.datadumpcloud.org tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BG 185.82.216.104:443 server1.datadumpcloud.org tcp

Files

memory/1284-1-0x00000000046D0000-0x0000000004ACE000-memory.dmp

memory/1284-2-0x0000000004BD0000-0x00000000054BB000-memory.dmp

memory/1284-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/116-4-0x000000007452E000-0x000000007452F000-memory.dmp

memory/116-5-0x00000000053D0000-0x0000000005406000-memory.dmp

memory/116-7-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/116-6-0x0000000005A80000-0x00000000060A8000-memory.dmp

memory/116-9-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/1284-8-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/116-10-0x0000000006110000-0x0000000006132000-memory.dmp

memory/116-11-0x00000000061B0000-0x0000000006216000-memory.dmp

memory/116-12-0x0000000006350000-0x00000000063B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_skdhy0bo.j5u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/116-18-0x00000000063C0000-0x0000000006714000-memory.dmp

memory/116-23-0x00000000069A0000-0x00000000069BE000-memory.dmp

memory/116-24-0x00000000069E0000-0x0000000006A2C000-memory.dmp

memory/116-25-0x0000000006F00000-0x0000000006F44000-memory.dmp

memory/116-26-0x0000000007CD0000-0x0000000007D46000-memory.dmp

memory/116-27-0x00000000083D0000-0x0000000008A4A000-memory.dmp

memory/116-28-0x0000000007D70000-0x0000000007D8A000-memory.dmp

memory/116-29-0x0000000007F20000-0x0000000007F52000-memory.dmp

memory/116-30-0x00000000703C0000-0x000000007040C000-memory.dmp

memory/116-32-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/116-31-0x0000000070B20000-0x0000000070E74000-memory.dmp

memory/116-43-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/116-42-0x0000000007F60000-0x0000000007F7E000-memory.dmp

memory/116-44-0x0000000007F80000-0x0000000008023000-memory.dmp

memory/116-45-0x0000000008090000-0x000000000809A000-memory.dmp

memory/116-46-0x0000000008150000-0x00000000081E6000-memory.dmp

memory/116-47-0x00000000080B0000-0x00000000080C1000-memory.dmp

memory/116-48-0x00000000080F0000-0x00000000080FE000-memory.dmp

memory/116-49-0x0000000008100000-0x0000000008114000-memory.dmp

memory/116-50-0x00000000081F0000-0x000000000820A000-memory.dmp

memory/116-51-0x0000000008130000-0x0000000008138000-memory.dmp

memory/116-54-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/1284-57-0x00000000046D0000-0x0000000004ACE000-memory.dmp

memory/1284-56-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3032-67-0x0000000005CF0000-0x0000000006044000-memory.dmp

memory/1284-68-0x0000000004BD0000-0x00000000054BB000-memory.dmp

memory/3032-69-0x00000000703C0000-0x000000007040C000-memory.dmp

memory/3032-70-0x0000000070B40000-0x0000000070E94000-memory.dmp

memory/3032-80-0x0000000007560000-0x0000000007603000-memory.dmp

memory/3032-81-0x0000000007860000-0x0000000007871000-memory.dmp

memory/3032-82-0x00000000078B0000-0x00000000078C4000-memory.dmp

memory/1284-84-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3848-83-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1764-97-0x00000000057C0000-0x0000000005B14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5f9a7f26b8562f62beac962d2be732da
SHA1 4560b14f1c190d40f8fe968177c67b5d4ea94d43
SHA256 468f211d6f0488630192753e56877f94fad02ddccc661534c2a01f53df49ec47
SHA512 2124e70e4dd7b4891d97bd6325d9f70000e7bbe8f54466bbd4e12bfc92e640c6206780f8fd04aa184828d8c1e50a29e82bdfe3e65173f81a56ada8df623957ca

memory/1764-99-0x00000000703C0000-0x000000007040C000-memory.dmp

memory/1764-100-0x0000000070540000-0x0000000070894000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6faf8ff0decafd3e7009260e4c6b8ff1
SHA1 7d627afe230d584f784e1f3eaad825f8a28f75a0
SHA256 a3eb4442c75d8f44bc0e1a24b55c131189c07ed9efc8088da6f24f007ddc5351
SHA512 ece0211c7c1decb01b4ed023daef073517b52174f6a404ee499b3b1bbc3d7e10bd1e713e1bc9c79e0bea1020576eb19ef4d962e2fa4085ce447bf5b70a1dcc24

memory/1904-122-0x00000000703C0000-0x000000007040C000-memory.dmp

memory/1904-123-0x0000000070B40000-0x0000000070E94000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 215a5f99738548fb93b934c6a7dd1245
SHA1 30b8acf03ef1a5769a1f55e7eb8f3e579a1d16a1
SHA256 111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f
SHA512 40302955cad481e8e76675c70ca15b11320e5e556b08ce4369162c0493c75642d272d012e64e048b362e64793c73bbcaeb2a341136742a376d37e7c65e5fb3a4

memory/3848-137-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d3ac0d33a2b591224f65c62a8e2f0568
SHA1 40f2300ab52f0dea29de4fe5a045ca61ca983b3d
SHA256 9a32d9cd4e9b2ca778bacd8063a1a4b249d040b8883ca02055b6e1938d82407b
SHA512 c0cb563e55a0c4f512ed5697c4ee697d6c59d1ed65381fa26f1b71c30e2c84102addd4496081377269446282466c3f37a8ee55d7541f51701f9a4b4ee8fb7e55

memory/980-151-0x00000000703C0000-0x000000007040C000-memory.dmp

memory/980-152-0x0000000070540000-0x0000000070894000-memory.dmp

memory/4712-172-0x0000000005EE0000-0x0000000006234000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2d3d03f9276e1a93518fb54770dd11b8
SHA1 93e9a0f0c356e2f10e1c2b703071e921e2ecd67f
SHA256 29132b49e27bb2b046d3b68bc66c0c7a6bb84d194f6fe98111d78a8758055fe6
SHA512 66d35500d693ea9cd1df6fa1a00979fe4ddbfe5737074f407a150670f20a5d2e6368d5069fd256648c776a826822aadf100062ffbc151f34d2c2d727ba8a6e30

memory/4712-175-0x0000000006500000-0x000000000654C000-memory.dmp

memory/3520-174-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4712-176-0x00000000702E0000-0x000000007032C000-memory.dmp

memory/4712-177-0x0000000070460000-0x00000000707B4000-memory.dmp

memory/4712-187-0x00000000076B0000-0x0000000007753000-memory.dmp

memory/4712-188-0x00000000079F0000-0x0000000007A01000-memory.dmp

memory/4712-189-0x0000000006290000-0x00000000062A4000-memory.dmp

memory/4924-196-0x0000000005F50000-0x00000000062A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8ae3b4a7fd60c63e48ad68ba8490bf1f
SHA1 3ba7a0b1e396195d5c06f896950c47b4d0c1265b
SHA256 24788e44992817c1cb207a18077e7cd13d79928c07dbd10353b606ee7a9c6277
SHA512 bca87f8aca7924360d30ef0942c0cd07e6a488bc5379852d4cb34847104bb91ee080251b463a17fbab17f8a750635b0d202b5a73c28dc3beec0563cebb9bfa52

memory/4924-203-0x0000000070AA0000-0x0000000070DF4000-memory.dmp

memory/4924-202-0x00000000702E0000-0x000000007032C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3520-220-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3100-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3100-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3520-229-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2316-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3520-231-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3520-235-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2316-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3520-238-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3520-241-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3520-243-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3520-247-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3520-250-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3520-253-0x0000000000400000-0x0000000002B0C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 07:08

Reported

2024-05-17 07:11

Platform

win11-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\system32\cmd.exe
PID 3988 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\system32\cmd.exe
PID 4692 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4692 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3988 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\rss\csrss.exe
PID 3988 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\rss\csrss.exe
PID 3988 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe C:\Windows\rss\csrss.exe
PID 4824 wrote to memory of 1676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 1676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 1676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4748 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4748 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4748 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 1616 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4824 wrote to memory of 1616 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4796 wrote to memory of 3440 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 3440 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 3440 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe

"C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe

"C:\Users\Admin\AppData\Local\Temp\111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 45cc6843-0dc1-4a3f-b729-d21b06fdadc5.uuid.datadumpcloud.org udp
US 8.8.8.8:53 server7.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server7.datadumpcloud.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
BG 185.82.216.104:443 server7.datadumpcloud.org tcp
BG 185.82.216.104:443 server7.datadumpcloud.org tcp

Files

memory/1232-1-0x0000000004A20000-0x0000000004E1E000-memory.dmp

memory/1232-2-0x0000000004E20000-0x000000000570B000-memory.dmp

memory/1232-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2228-4-0x000000007448E000-0x000000007448F000-memory.dmp

memory/2228-5-0x0000000004C70000-0x0000000004CA6000-memory.dmp

memory/2228-7-0x0000000074480000-0x0000000074C31000-memory.dmp

memory/2228-6-0x0000000005460000-0x0000000005A8A000-memory.dmp

memory/2228-8-0x0000000005270000-0x0000000005292000-memory.dmp

memory/2228-9-0x0000000005B40000-0x0000000005BA6000-memory.dmp

memory/2228-10-0x0000000005BB0000-0x0000000005C16000-memory.dmp

memory/2228-11-0x0000000074480000-0x0000000074C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2dhpccxf.rwh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2228-20-0x0000000005C20000-0x0000000005F77000-memory.dmp

memory/2228-21-0x0000000006100000-0x000000000611E000-memory.dmp

memory/2228-22-0x00000000061C0000-0x000000000620C000-memory.dmp

memory/2228-23-0x00000000066B0000-0x00000000066F6000-memory.dmp

memory/2228-25-0x0000000007520000-0x0000000007554000-memory.dmp

memory/2228-26-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/2228-36-0x0000000007580000-0x000000000759E000-memory.dmp

memory/2228-27-0x0000000070900000-0x0000000070C57000-memory.dmp

memory/2228-37-0x00000000075A0000-0x0000000007644000-memory.dmp

memory/1232-24-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2228-38-0x0000000074480000-0x0000000074C31000-memory.dmp

memory/2228-39-0x0000000007D00000-0x000000000837A000-memory.dmp

memory/2228-40-0x00000000076C0000-0x00000000076DA000-memory.dmp

memory/2228-41-0x0000000007700000-0x000000000770A000-memory.dmp

memory/2228-42-0x00000000077C0000-0x0000000007856000-memory.dmp

memory/2228-43-0x0000000007730000-0x0000000007741000-memory.dmp

memory/2228-44-0x0000000007770000-0x000000000777E000-memory.dmp

memory/2228-45-0x0000000007780000-0x0000000007795000-memory.dmp

memory/2228-46-0x0000000007880000-0x000000000789A000-memory.dmp

memory/2228-47-0x0000000007860000-0x0000000007868000-memory.dmp

memory/2228-50-0x0000000074480000-0x0000000074C31000-memory.dmp

memory/1232-52-0x0000000004A20000-0x0000000004E1E000-memory.dmp

memory/1232-54-0x0000000004E20000-0x000000000570B000-memory.dmp

memory/1232-53-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/784-63-0x0000000005700000-0x0000000005A57000-memory.dmp

memory/1232-65-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/784-67-0x0000000070890000-0x0000000070BE7000-memory.dmp

memory/784-76-0x0000000006DA0000-0x0000000006E44000-memory.dmp

memory/784-66-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/3988-64-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/784-77-0x0000000007070000-0x0000000007081000-memory.dmp

memory/784-78-0x00000000070C0000-0x00000000070D5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2152-82-0x0000000005F50000-0x00000000062A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 739e93503400a91aa81c8cba08fa8b0d
SHA1 dc21fa26e96f553e6e2398ccfac0570dd57f49d0
SHA256 a1dc35971c5539184eea70bb5be65ea3d704f37e95168899746503f8ef94dbd2
SHA512 68c590f2f5e0a1fff787c470bc21d3c98302d9fbb3c9d979e0e536913a444df8c3f3e466a05974793354f056172f670b82bc4e954f6dae4d67cc771a625bfe57

memory/2152-92-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/2152-93-0x0000000070940000-0x0000000070C97000-memory.dmp

memory/1812-111-0x00000000064C0000-0x0000000006817000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2d57299e4486b1d6316e79519f76bce9
SHA1 ec77521f0789d94bca87cfc5bc433f3ca6b5820e
SHA256 c1df956d41f4e1e009f0fc9a077a7c7fa0958c444496faa2ee701f38dd298f26
SHA512 e716decb69a50c0ea62963b8e978dff8170c68b5e4dc0a73bcfa6e87f174e68f2f64849196baf6177ea926691474f6a713f25fe462352232ae7b4ea17ad80d32

memory/1812-113-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/1812-114-0x0000000070870000-0x0000000070BC7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 215a5f99738548fb93b934c6a7dd1245
SHA1 30b8acf03ef1a5769a1f55e7eb8f3e579a1d16a1
SHA256 111c364de2057c601502b59c4e11f5d3bf58a028f99e09e77f94d04199bfa42f
SHA512 40302955cad481e8e76675c70ca15b11320e5e556b08ce4369162c0493c75642d272d012e64e048b362e64793c73bbcaeb2a341136742a376d37e7c65e5fb3a4

memory/3988-128-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bbafcb3b731b2ef3671abf20011829db
SHA1 d2476a1dd52fb522cd645afea0cc772b8c14599a
SHA256 4bab14b7d537acdc7fa3c7d25e06e1ddc188cab5d0eb330fa762497d4290312d
SHA512 7a2e0023065544ca2c3291eb8e3da573918a0b4425a7df0dbc3204388d56bf03e5ac149abaed267fec0abdd6d526876a0f5b71b23293a367911e92d809612e6c

memory/4824-141-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1676-143-0x0000000070940000-0x0000000070C97000-memory.dmp

memory/1676-142-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/4748-161-0x00000000061A0000-0x00000000064F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e51ab60e1d248b9fd63a1f84d34b21a1
SHA1 6e9595110a2125c6353b32d71b5aa6838265bfa6
SHA256 2e92ff539b3ea9c826f6346a481d557ccbaa36d49e502dd00e54ee019bb2a81a
SHA512 c5b2cc4359ae7cb23e93143308292394a96fa7cb87c3bf1c06fc0ddcc13e12b431aca73baa51f8a69a60df7b9d5da50a2d6402a10fa3bbcff3916047e92bd326

memory/4748-163-0x00000000067C0000-0x000000000680C000-memory.dmp

memory/4748-164-0x0000000070610000-0x000000007065C000-memory.dmp

memory/4748-165-0x0000000070790000-0x0000000070AE7000-memory.dmp

memory/4748-174-0x0000000007920000-0x00000000079C4000-memory.dmp

memory/4748-175-0x0000000006040000-0x0000000006051000-memory.dmp

memory/4748-176-0x0000000006500000-0x0000000006515000-memory.dmp

memory/880-186-0x00000000057F0000-0x0000000005B47000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 13d6f1bfe2aa173b55443454d6b44e97
SHA1 d1b0b0fb9495842f18425dba4d256c96aaba8901
SHA256 e37717aec7bdbe0352a9c681255b8b784283c6a18306010dd3750d7f5daf6829
SHA512 833d7ab57123525e6115e164be7c1d960389ef8f984d1b9ad9294e6fb13674c01e3289c02d8a76b54e7e4fd430089dc15f83e938e6b93182c813a4434d40a969

memory/880-188-0x0000000070610000-0x000000007065C000-memory.dmp

memory/880-189-0x00000000707B0000-0x0000000070B07000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4824-205-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4796-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4796-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2868-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4824-216-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2868-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4824-218-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4824-222-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2868-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4824-225-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4824-228-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4824-231-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4824-233-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4824-237-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4824-240-0x0000000000400000-0x0000000002B0C000-memory.dmp