Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-hze6tsfb94
Target b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a
SHA256 b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a

Threat Level: Known bad

The file b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 07:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 07:10

Reported

2024-05-17 07:12

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 876 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\system32\cmd.exe
PID 1432 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\system32\cmd.exe
PID 1912 wrote to memory of 4356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1912 wrote to memory of 4356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1432 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\rss\csrss.exe
PID 1432 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\rss\csrss.exe
PID 1432 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\rss\csrss.exe
PID 4472 wrote to memory of 1776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 1776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 1776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 2136 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 2136 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 2136 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 668 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 668 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 668 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 1528 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4472 wrote to memory of 1528 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1056 wrote to memory of 1840 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 1840 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 1840 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1840 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1840 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe

"C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe

"C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 f1a4e573-dd93-431e-8a1a-b9d7a2691ba1.uuid.dumppage.org udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server1.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server1.dumppage.org tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
BG 185.82.216.111:443 server1.dumppage.org tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
BG 185.82.216.111:443 tcp

Files

memory/876-1-0x00000000047F0000-0x0000000004BEC000-memory.dmp

memory/876-2-0x0000000004BF0000-0x00000000054DB000-memory.dmp

memory/876-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1852-5-0x00000000749CE000-0x00000000749CF000-memory.dmp

memory/1852-6-0x0000000002D70000-0x0000000002DA6000-memory.dmp

memory/876-4-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1852-8-0x0000000005430000-0x0000000005A58000-memory.dmp

memory/1852-7-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/1852-9-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/1852-10-0x0000000005AA0000-0x0000000005AC2000-memory.dmp

memory/1852-12-0x0000000005CB0000-0x0000000005D16000-memory.dmp

memory/1852-11-0x0000000005C40000-0x0000000005CA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3jizhah.wh3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1852-22-0x0000000005E20000-0x0000000006174000-memory.dmp

memory/1852-23-0x0000000006330000-0x000000000634E000-memory.dmp

memory/1852-24-0x0000000006670000-0x00000000066BC000-memory.dmp

memory/1852-25-0x0000000007250000-0x0000000007294000-memory.dmp

memory/1852-26-0x00000000074A0000-0x0000000007516000-memory.dmp

memory/1852-27-0x0000000007DA0000-0x000000000841A000-memory.dmp

memory/1852-28-0x0000000007460000-0x000000000747A000-memory.dmp

memory/1852-31-0x00000000709E0000-0x0000000070D34000-memory.dmp

memory/1852-32-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/1852-42-0x00000000078E0000-0x00000000078FE000-memory.dmp

memory/1852-43-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/1852-30-0x0000000070860000-0x00000000708AC000-memory.dmp

memory/1852-29-0x00000000078A0000-0x00000000078D2000-memory.dmp

memory/1852-44-0x0000000007900000-0x00000000079A3000-memory.dmp

memory/1852-45-0x00000000079F0000-0x00000000079FA000-memory.dmp

memory/1852-46-0x0000000007AB0000-0x0000000007B46000-memory.dmp

memory/1852-47-0x0000000007A10000-0x0000000007A21000-memory.dmp

memory/1852-48-0x0000000007A50000-0x0000000007A5E000-memory.dmp

memory/1852-49-0x0000000007A60000-0x0000000007A74000-memory.dmp

memory/1852-50-0x0000000007B50000-0x0000000007B6A000-memory.dmp

memory/1852-51-0x0000000007AA0000-0x0000000007AA8000-memory.dmp

memory/1852-54-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/876-56-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/876-57-0x00000000047F0000-0x0000000004BEC000-memory.dmp

memory/876-67-0x0000000004BF0000-0x00000000054DB000-memory.dmp

memory/2332-68-0x0000000070860000-0x00000000708AC000-memory.dmp

memory/2332-69-0x00000000709E0000-0x0000000070D34000-memory.dmp

memory/2332-79-0x00000000078D0000-0x0000000007973000-memory.dmp

memory/2332-80-0x0000000007C00000-0x0000000007C11000-memory.dmp

memory/2332-81-0x0000000007C50000-0x0000000007C64000-memory.dmp

memory/876-83-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1432-82-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 32529e60bbfe8c54782c488eca148d61
SHA1 4d4d161ce5df9b99b7057847651c1a8c76635397
SHA256 1da79882a9aa60f3872adaa4d0d3c4f3fca7e9a910d040daa9b7ff8f30063b87
SHA512 0f280e3f34b5fa4604d63e12fb92058ad40dd17e8bc3131ee06ec63d7b6adb4b43a324c8a1859037163468a68bd401ff4ee6f23c470ba6ea5c06c93e0bfa082d

memory/3044-97-0x0000000070860000-0x00000000708AC000-memory.dmp

memory/3044-98-0x00000000709E0000-0x0000000070D34000-memory.dmp

memory/4872-119-0x00000000060E0000-0x0000000006434000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3d1d37ad71b86df215b2b037c0f5038f
SHA1 48a66ba751a695abdfc44f0d2c2b59b34864c214
SHA256 8b8bb11c84008ea0530cdb34070ec039826eaf0484619f7c7790ce6cb265ff9a
SHA512 248132beb773ee1f2fb494a6cb99aaf3b011a38e3133b1bfb4ad1f2ed3ae4b3a01ef34b758b0ab5faf712a6d7921fb3641601d414f450e273789dfe151e798ac

memory/4872-121-0x0000000070860000-0x00000000708AC000-memory.dmp

memory/4872-122-0x0000000070FE0000-0x0000000071334000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 3b200be8ba5d94581020a32ca98a1a2b
SHA1 98c2e3426e493471e0f56a68bf66418e300f58d4
SHA256 b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a
SHA512 2ce409e26e091e11878a710fee2b1d69b809b9cc505a02359f683977c138dc7cf46c26f73fbad39f119706f5f941d23ec1041c44825a0a12537b11bc8a61e053

memory/1432-138-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4f253ac69f9ca352ea39ce7832735288
SHA1 8abb021d0b74e020b1d46c2e8bc1d117e729da73
SHA256 1c543eef8eb85aa567c60bc01d1d23bbb6984e81ee780e8d95eea045bbe19536
SHA512 a2242ee51caaae829e338dfdab5df6eb7eea6231efd89bc442d1b83e6f18c8218a31f48984407e8dfc95d066dfff2c64582346256ac9e13bca72d8f18fc21ae4

memory/1776-150-0x0000000070860000-0x00000000708AC000-memory.dmp

memory/1776-151-0x0000000070FE0000-0x0000000071334000-memory.dmp

memory/4472-162-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2136-163-0x0000000005640000-0x0000000005994000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0112d64ec892e80045ef8938f58c0fd2
SHA1 fb1e92b29ace751a598a83eb5706e6c7a945e621
SHA256 7e1596dd0ad86ae424336befeddc626559df9ed8b9c0d5accd00a9a9d35fbf01
SHA512 2bc3e34fbf06d8fb094bd3d9c198bde0997af158db861b4e48f1ae46ae4274202c0329d92bf4caee9db8f8f2f8da770534351f175428ed03f895db62c765cc28

memory/2136-174-0x0000000006200000-0x000000000624C000-memory.dmp

memory/2136-175-0x0000000070780000-0x00000000707CC000-memory.dmp

memory/2136-176-0x0000000070F10000-0x0000000071264000-memory.dmp

memory/2136-186-0x0000000006EE0000-0x0000000006F83000-memory.dmp

memory/2136-187-0x0000000005AA0000-0x0000000005AB1000-memory.dmp

memory/2136-188-0x0000000005AE0000-0x0000000005AF4000-memory.dmp

memory/668-195-0x0000000006150000-0x00000000064A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cb9ccf364b50fa52233add9a72d3bd20
SHA1 6385ac1632199232e7c44e9a17ecde0918169313
SHA256 97d306406069ece21a2d2c9b434ca5f698962fb76790fa4f076c8873fab35455
SHA512 369e52c29ebc073048957189a0c421ce94d0df81cc3e499c5981e2b309b7a02ae6508d31010a0d2a8845bb0fafb14f7d0787da5956a50d0a332ca389cc58eff7

memory/668-203-0x0000000070780000-0x00000000707CC000-memory.dmp

memory/668-204-0x0000000070D40000-0x0000000071094000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4472-220-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1056-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1056-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4472-231-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4172-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4472-234-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4472-239-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4172-242-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4472-243-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4472-247-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4472-250-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4172-254-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4472-255-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4472-259-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4472-263-0x0000000000400000-0x0000000002B0C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 07:10

Reported

2024-05-17 07:12

Platform

win11-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\system32\cmd.exe
PID 2352 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2352 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1488 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\rss\csrss.exe
PID 1488 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\rss\csrss.exe
PID 1488 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe C:\Windows\rss\csrss.exe
PID 4424 wrote to memory of 2032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 2032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 2032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 2388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 2388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 2388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 1340 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 1340 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 1340 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 1944 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4424 wrote to memory of 1944 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4496 wrote to memory of 868 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 868 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 868 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 868 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 868 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe

"C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe

"C:\Users\Admin\AppData\Local\Temp\b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 c548470f-86b3-4c56-8891-e0a6ef898fb3.uuid.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server11.dumppage.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.111:443 server11.dumppage.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server11.dumppage.org tcp
BG 185.82.216.111:443 server11.dumppage.org tcp

Files

memory/2492-1-0x0000000004890000-0x0000000004C8F000-memory.dmp

memory/2492-2-0x0000000004C90000-0x000000000557B000-memory.dmp

memory/2492-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1228-4-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

memory/1228-5-0x0000000002A60000-0x0000000002A96000-memory.dmp

memory/1228-6-0x00000000054A0000-0x0000000005ACA000-memory.dmp

memory/1228-7-0x0000000074DD0000-0x0000000075581000-memory.dmp

memory/1228-8-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

memory/1228-9-0x0000000005C70000-0x0000000005CD6000-memory.dmp

memory/1228-10-0x0000000005CE0000-0x0000000005D46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdv1hkjl.mdi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1228-19-0x0000000005D50000-0x00000000060A7000-memory.dmp

memory/1228-20-0x0000000074DD0000-0x0000000075581000-memory.dmp

memory/1228-21-0x0000000006250000-0x000000000626E000-memory.dmp

memory/1228-22-0x0000000006280000-0x00000000062CC000-memory.dmp

memory/1228-23-0x00000000073C0000-0x0000000007406000-memory.dmp

memory/1228-25-0x0000000071040000-0x000000007108C000-memory.dmp

memory/1228-37-0x00000000076D0000-0x0000000007774000-memory.dmp

memory/1228-36-0x0000000074DD0000-0x0000000075581000-memory.dmp

memory/1228-35-0x00000000076B0000-0x00000000076CE000-memory.dmp

memory/1228-26-0x0000000071290000-0x00000000715E7000-memory.dmp

memory/1228-24-0x0000000007650000-0x0000000007684000-memory.dmp

memory/1228-38-0x0000000074DD0000-0x0000000075581000-memory.dmp

memory/1228-39-0x0000000007E40000-0x00000000084BA000-memory.dmp

memory/1228-40-0x0000000007800000-0x000000000781A000-memory.dmp

memory/1228-41-0x0000000007840000-0x000000000784A000-memory.dmp

memory/1228-42-0x0000000007950000-0x00000000079E6000-memory.dmp

memory/1228-43-0x0000000007860000-0x0000000007871000-memory.dmp

memory/1228-44-0x00000000078B0000-0x00000000078BE000-memory.dmp

memory/1228-45-0x00000000078C0000-0x00000000078D5000-memory.dmp

memory/1228-46-0x0000000007910000-0x000000000792A000-memory.dmp

memory/1228-47-0x00000000078F0000-0x00000000078F8000-memory.dmp

memory/1228-50-0x0000000074DD0000-0x0000000075581000-memory.dmp

memory/2492-52-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2492-53-0x0000000004890000-0x0000000004C8F000-memory.dmp

memory/2492-54-0x0000000004C90000-0x000000000557B000-memory.dmp

memory/1380-64-0x0000000005A60000-0x0000000005DB7000-memory.dmp

memory/1380-65-0x0000000071040000-0x000000007108C000-memory.dmp

memory/1380-66-0x00000000711C0000-0x0000000071517000-memory.dmp

memory/1380-75-0x0000000007080000-0x0000000007124000-memory.dmp

memory/1380-76-0x00000000073B0000-0x00000000073C1000-memory.dmp

memory/1380-78-0x0000000007400000-0x0000000007415000-memory.dmp

memory/2492-79-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1488-77-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6e686edb6ca46abe3ede5ec84d6f1961
SHA1 cd628c4c92fced9d4363ccb0472218abf99e2529
SHA256 de7890c6eee7945b7a2dfe750773a43ee94a0662d5bc9f1d120925a3397735a5
SHA512 947499d9181786b41bab7a58f5ef9baadb4d18f806b52d75c76aeacda4da681b48c2bf130dbabf50b9a5305941105f724408964a973113fcfd01cf6cbd449771

memory/1348-92-0x0000000071040000-0x000000007108C000-memory.dmp

memory/1348-93-0x00000000711C0000-0x0000000071517000-memory.dmp

memory/4916-111-0x0000000005C40000-0x0000000005F97000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 503346830dc4501cecf595daae1c9ab0
SHA1 a5f815c67e117d3e9da57129048137c8a34d7196
SHA256 d15170899e7fd15f58b08ca5a7864ec3f87a338e93eea8573da982877e385449
SHA512 09fdecdb8756e74dfcf56c4fbaa82cce1ab4dbf8d2e197c24b6ef28894b5f7beff6505f595282a4a7fad2a1da8a74167102247b0a049670423a54d048a058f21

memory/4916-113-0x0000000071040000-0x000000007108C000-memory.dmp

memory/4916-114-0x0000000071250000-0x00000000715A7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 3b200be8ba5d94581020a32ca98a1a2b
SHA1 98c2e3426e493471e0f56a68bf66418e300f58d4
SHA256 b8f79602544a39a4e40e81b573ec904cc623eb2621a25a3c8985f3a1bfb7884a
SHA512 2ce409e26e091e11878a710fee2b1d69b809b9cc505a02359f683977c138dc7cf46c26f73fbad39f119706f5f941d23ec1041c44825a0a12537b11bc8a61e053

memory/1488-128-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2032-140-0x0000000005D30000-0x0000000006087000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 514d18e7e0057033c361a2fb51cc654e
SHA1 585015b2c4e7a46d2fea597d191af68af43b62c2
SHA256 ed75e17bd7d82883d197d72fa82665ce337827dc3e5e82f7361bce54f8e5b04e
SHA512 2085f9bcc865d552b47e7264d46a0ef64270d1191dfc60f6ed975f904fb85fbd84dd697c6a1e615b9251beeff8f0aaf67b3dbcbd76bb269c31a7b5ba24cab3b4

memory/2032-142-0x0000000071040000-0x000000007108C000-memory.dmp

memory/2032-143-0x0000000071980000-0x0000000071CD7000-memory.dmp

memory/2388-161-0x0000000006410000-0x0000000006767000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 35cb6c78665b4186170c2f8b0450d820
SHA1 96ab83a9b8a24ff04ec6146a19ae5364f6063152
SHA256 714650da1671ad1ba993989f4e793c66e538f0300a43ca9dd10da321744c8459
SHA512 21bf87f2b22ed67016e335850605c75a2186c23f84c29ccc11371b8c866c946b0fd43398cc00896344a2b89155009e2aa40b5147fae17f77f45d0c7507e02e17

memory/2388-163-0x0000000006960000-0x00000000069AC000-memory.dmp

memory/2388-164-0x0000000070F60000-0x0000000070FAC000-memory.dmp

memory/2388-165-0x00000000710E0000-0x0000000071437000-memory.dmp

memory/2388-174-0x0000000007B20000-0x0000000007BC4000-memory.dmp

memory/2388-175-0x0000000006310000-0x0000000006321000-memory.dmp

memory/2388-176-0x0000000006350000-0x0000000006365000-memory.dmp

memory/1340-186-0x00000000055C0000-0x0000000005917000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0409dc21d3d05314b46233a8550d4a0c
SHA1 027ca6173db906bffca99e9b8bddabdfdde5add2
SHA256 ec57308a6a87baa7a44abdd512490b649da8e1bc36a695c2cab0461c78248693
SHA512 d8a1cfebc8fa00c3e70f365e646ccfd7ec641d5328e66fa642f30a8696da4f0c6acea82c5f265284bc7c2558a79f6ace0a7fc23e6ff599ae76e6fa28a8a2038e

memory/1340-188-0x0000000070F60000-0x0000000070FAC000-memory.dmp

memory/1340-189-0x0000000071170000-0x00000000714C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4424-205-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4496-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2392-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4496-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4424-216-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2392-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4424-218-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4424-222-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2392-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4424-225-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4424-228-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4424-231-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4424-233-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4424-237-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4424-240-0x0000000000400000-0x0000000002B0C000-memory.dmp