Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-lthljscd3y
Target eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958
SHA256 eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958

Threat Level: Known bad

The file eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 09:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 09:49

Reported

2024-05-17 09:51

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3260 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3260 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3260 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3260 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\system32\cmd.exe
PID 3260 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\system32\cmd.exe
PID 1136 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1136 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3260 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3260 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3260 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3260 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3260 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3260 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3260 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\rss\csrss.exe
PID 3260 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\rss\csrss.exe
PID 3260 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\rss\csrss.exe
PID 1480 wrote to memory of 4796 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4796 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4796 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 1568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 1568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 1568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 1572 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 1572 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 1572 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2116 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1480 wrote to memory of 2116 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4344 wrote to memory of 4868 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 4868 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 4868 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4868 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4868 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe

"C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe

"C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 8e5e55cf-02f0-47e6-bbc3-5764e32c594d.uuid.alldatadump.org udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server13.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun2.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server13.alldatadump.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
BG 185.82.216.108:443 server13.alldatadump.org tcp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.108:443 server13.alldatadump.org tcp

Files

memory/1612-1-0x00000000047A0000-0x0000000004BA4000-memory.dmp

memory/1612-2-0x0000000004BB0000-0x000000000549B000-memory.dmp

memory/1612-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4044-6-0x00000000046A0000-0x00000000046D6000-memory.dmp

memory/4044-5-0x000000007455E000-0x000000007455F000-memory.dmp

memory/4044-8-0x0000000004DF0000-0x0000000005418000-memory.dmp

memory/1612-4-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4044-7-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4044-9-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4044-10-0x0000000005420000-0x0000000005442000-memory.dmp

memory/4044-11-0x0000000005580000-0x00000000055E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i2korlcg.suu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4044-21-0x0000000005630000-0x0000000005696000-memory.dmp

memory/4044-22-0x00000000057F0000-0x0000000005B44000-memory.dmp

memory/4044-23-0x0000000005C70000-0x0000000005C8E000-memory.dmp

memory/4044-24-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

memory/4044-25-0x00000000061A0000-0x00000000061E4000-memory.dmp

memory/4044-26-0x0000000006F10000-0x0000000006F86000-memory.dmp

memory/4044-27-0x0000000007670000-0x0000000007CEA000-memory.dmp

memory/4044-28-0x0000000007030000-0x000000000704A000-memory.dmp

memory/4044-31-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4044-29-0x00000000071F0000-0x0000000007222000-memory.dmp

memory/4044-32-0x0000000070570000-0x00000000708C4000-memory.dmp

memory/4044-30-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/4044-42-0x0000000007230000-0x000000000724E000-memory.dmp

memory/4044-43-0x0000000007250000-0x00000000072F3000-memory.dmp

memory/4044-44-0x0000000007340000-0x000000000734A000-memory.dmp

memory/4044-45-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4044-46-0x0000000007450000-0x00000000074E6000-memory.dmp

memory/4044-47-0x0000000007350000-0x0000000007361000-memory.dmp

memory/4044-48-0x0000000007390000-0x000000000739E000-memory.dmp

memory/4044-49-0x00000000073B0000-0x00000000073C4000-memory.dmp

memory/4044-50-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/4044-51-0x00000000073E0000-0x00000000073E8000-memory.dmp

memory/4044-54-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/1612-57-0x0000000004BB0000-0x000000000549B000-memory.dmp

memory/1612-56-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1612-58-0x00000000047A0000-0x0000000004BA4000-memory.dmp

memory/716-59-0x0000000006000000-0x0000000006354000-memory.dmp

memory/716-69-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/716-70-0x0000000070B70000-0x0000000070EC4000-memory.dmp

memory/716-80-0x0000000007800000-0x00000000078A3000-memory.dmp

memory/1612-82-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3260-81-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/716-83-0x0000000007B30000-0x0000000007B41000-memory.dmp

memory/716-84-0x0000000007B80000-0x0000000007B94000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0c200a09acd42352cb7b817e4cf74fff
SHA1 e0550f636d66ac5fed40ec6fa935b2f8296c4553
SHA256 74f8d3905bc8be508a52304f938eed76383e22db59661b402e13b68c59e9d0a4
SHA512 e2047c31e3d5780491da5529e54257555b85c8c135cbe009fccc1ca1a3f06e0b054589e869761c462ea1e8b3c1bbdb7d2f003831909e8cd1bec6518092ac42d4

memory/3276-99-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/3276-100-0x0000000070B70000-0x0000000070EC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 61ad67df88dfa94cb74af1a5eeb9e310
SHA1 0a965f83cd8ed9d07b891698da576b29ca8c91ce
SHA256 e25cb7e2418c8ca0ab16c17c4a6055ef4c4e3417463354124ae9f96612f1368f
SHA512 18a9a4d766ada1a7d388bf2b5aec7ef4e429fec3a9dd6a2311cddd8341155a32dba8ad64bf188f3ef64c6ce1f3564f37092fbab9a654e9aa9eea919609225e0a

memory/4364-121-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/4364-122-0x0000000070B70000-0x0000000070EC4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d2f354fc3e499c505ac0ce1df085e7eb
SHA1 007997d9e795d538a55f758501290c71179d382b
SHA256 eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958
SHA512 140c2c4dbf004ca893088af820d4fd6d440c78b069d32d7d9e3fd13aa40d75d5ec9709407f7e7e9a1f7f031c5b30a825432cc15f9193d428878ff348ef266a2e

memory/3260-138-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d95bbf8e79184d93d63a2ef8132a2069
SHA1 ae9c3674f31358f06a65f685cbfe5686640beff4
SHA256 a428ecea0bc4f7e1ed671cf6ee110f4efa029b702ad7aef847b40d37cf008442
SHA512 cac2406f52d27500bcce50e74d490af29724a90a140e13bb04eb69de22e15b7b16ac402d903ba1bdee153e7979ecc8eec9a845a833f730743f013a203ec8f452

memory/4796-150-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/4796-151-0x0000000070B70000-0x0000000070EC4000-memory.dmp

memory/1480-162-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1568-173-0x00000000055D0000-0x0000000005924000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ad3a76a566debd6f5debfb5fdb3af840
SHA1 091bd31dde018118716b21c5687eb3b464f109bd
SHA256 1869dbf495788552e3e673af61a46ac3b574e7c17c5292bf80705edce6e01a1c
SHA512 75eb4b0f11758dd9f991e62d774d901e8711be5351a49c3389e37a06496a96b1e4eae74818edbe3a9760595cac9333853bf77925e12ffcee07171af84dd537c2

memory/1568-175-0x0000000006070000-0x00000000060BC000-memory.dmp

memory/1568-176-0x0000000070310000-0x000000007035C000-memory.dmp

memory/1568-177-0x0000000070490000-0x00000000707E4000-memory.dmp

memory/1568-187-0x0000000006DA0000-0x0000000006E43000-memory.dmp

memory/1568-188-0x00000000070B0000-0x00000000070C1000-memory.dmp

memory/1568-190-0x00000000053B0000-0x00000000053C4000-memory.dmp

memory/1572-192-0x0000000005790000-0x0000000005AE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4e7e03f0bcf759e2112df90a76f14424
SHA1 5db07702076527daefa38a4309cfaa64fbb73eed
SHA256 c5c294b5c9a66135ef2582e856be08492ae7e6757576a8b1a8cceec831cde5fc
SHA512 af8b8e38418e7f81f7068732d2a38e2e9cb1f3e0aeafd3ed177ed12559995a8f00ecd9bd6a5ef87dad7885964e395b60e67f778bcd9a785dd52a62828f1dc22e

memory/1572-203-0x0000000070310000-0x000000007035C000-memory.dmp

memory/1572-204-0x0000000070AA0000-0x0000000070DF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1480-220-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4344-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4796-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4344-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1480-233-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4796-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1480-235-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1480-239-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4796-244-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1480-243-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1480-247-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1480-252-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1480-255-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1480-259-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1480-263-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 09:49

Reported

2024-05-17 09:51

Platform

win11-20240426-en

Max time kernel

58s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3496 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3496 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3496 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4716 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4716 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4716 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4716 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\system32\cmd.exe
PID 4716 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\system32\cmd.exe
PID 2112 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2112 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4716 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4716 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4716 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4716 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4716 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4716 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4716 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\rss\csrss.exe
PID 4716 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\rss\csrss.exe
PID 4716 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe C:\Windows\rss\csrss.exe
PID 4920 wrote to memory of 3724 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3724 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3724 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 2952 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 2952 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 2952 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1552 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4920 wrote to memory of 1552 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe

"C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe

"C:\Users\Admin\AppData\Local\Temp\eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 a06eb85b-8a7f-425a-970d-1d33c8baa120.uuid.alldatadump.org udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server16.alldatadump.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server16.alldatadump.org tcp

Files

memory/3496-1-0x0000000004A10000-0x0000000004E0B000-memory.dmp

memory/3496-2-0x0000000004E10000-0x00000000056FB000-memory.dmp

memory/3496-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3924-5-0x0000000002E00000-0x0000000002E36000-memory.dmp

memory/3924-6-0x000000007401E000-0x000000007401F000-memory.dmp

memory/3924-8-0x0000000074010000-0x00000000747C1000-memory.dmp

memory/3924-7-0x0000000005660000-0x0000000005C8A000-memory.dmp

memory/3924-9-0x0000000074010000-0x00000000747C1000-memory.dmp

memory/3496-4-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3924-10-0x0000000005430000-0x0000000005452000-memory.dmp

memory/3924-11-0x00000000055D0000-0x0000000005636000-memory.dmp

memory/3924-12-0x0000000005C90000-0x0000000005CF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gjgmf2io.awh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3924-18-0x0000000005E00000-0x0000000006157000-memory.dmp

memory/3924-22-0x00000000062E0000-0x00000000062FE000-memory.dmp

memory/3924-23-0x0000000006310000-0x000000000635C000-memory.dmp

memory/3924-24-0x0000000006890000-0x00000000068D6000-memory.dmp

memory/3924-37-0x0000000074010000-0x00000000747C1000-memory.dmp

memory/3924-36-0x0000000007740000-0x000000000775E000-memory.dmp

memory/3924-38-0x0000000007760000-0x0000000007804000-memory.dmp

memory/3924-27-0x0000000070410000-0x0000000070767000-memory.dmp

memory/3924-26-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/3924-25-0x0000000007700000-0x0000000007734000-memory.dmp

memory/3924-39-0x0000000007ED0000-0x000000000854A000-memory.dmp

memory/3924-41-0x0000000007890000-0x00000000078AA000-memory.dmp

memory/3924-40-0x0000000074010000-0x00000000747C1000-memory.dmp

memory/3924-42-0x00000000078D0000-0x00000000078DA000-memory.dmp

memory/3924-43-0x00000000079E0000-0x0000000007A76000-memory.dmp

memory/3924-44-0x00000000078F0000-0x0000000007901000-memory.dmp

memory/3924-45-0x0000000007940000-0x000000000794E000-memory.dmp

memory/3924-46-0x0000000007950000-0x0000000007965000-memory.dmp

memory/3924-47-0x00000000079A0000-0x00000000079BA000-memory.dmp

memory/3924-48-0x00000000079C0000-0x00000000079C8000-memory.dmp

memory/3924-51-0x0000000074010000-0x00000000747C1000-memory.dmp

memory/3496-53-0x0000000004A10000-0x0000000004E0B000-memory.dmp

memory/3496-55-0x0000000004E10000-0x00000000056FB000-memory.dmp

memory/3496-54-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4984-65-0x00000000063D0000-0x0000000006727000-memory.dmp

memory/4716-56-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4984-67-0x00000000704B0000-0x0000000070807000-memory.dmp

memory/4984-76-0x0000000007B70000-0x0000000007C14000-memory.dmp

memory/4984-66-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/4984-77-0x0000000007EB0000-0x0000000007EC1000-memory.dmp

memory/4984-78-0x0000000007F00000-0x0000000007F15000-memory.dmp

memory/3496-81-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2b1eb441c2df47827661e95dc9e2bd5f
SHA1 f0f13188b258ffe8413bb216f94416e9592d597f
SHA256 b2ef7b048e21c9d56fe1a8cad1c70723a59478edc00227c62acda2b5932f2b7c
SHA512 d8a65effedfe5399c2b6d732ceb6816137c5d71be8438c90ea9b6e2da487e9c224f1fa0585482ffea639ae05c1a403f962822f37aeffdfdddf5404353f45bff1

memory/4332-93-0x00000000704B0000-0x0000000070807000-memory.dmp

memory/4332-92-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/2264-111-0x0000000005F10000-0x0000000006267000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 88efcc74439b6565f8ce96622772d5a2
SHA1 bf02e0fec37420d5360ca80a4fa57c534004fefe
SHA256 3ba5ef88c7ac041d641de01d0c6fa5df2b0751ad535658211c15a1400d4d2d04
SHA512 06696933932bf741c3350589f34ea43493528ea0eb3ecdb550e12a328873ebe3779e89c351b501dc784d5449e4516d8cd7b58c8914314c0f9cd5c4eb88229869

memory/2264-113-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/2264-114-0x0000000070BC0000-0x0000000070F17000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d2f354fc3e499c505ac0ce1df085e7eb
SHA1 007997d9e795d538a55f758501290c71179d382b
SHA256 eed9f937216227541ed707afd84d0c775fa0cd67a151b829c5c715c7dd445958
SHA512 140c2c4dbf004ca893088af820d4fd6d440c78b069d32d7d9e3fd13aa40d75d5ec9709407f7e7e9a1f7f031c5b30a825432cc15f9193d428878ff348ef266a2e

memory/4716-128-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3724-139-0x0000000005980000-0x0000000005CD7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 52ecaac89725a4901e9def4dc9a0294a
SHA1 aedbabd9422060cc24490814b588ac7dea52de12
SHA256 151e758cc08c42a61638b1cbb3dabe209ee6ebca3d68631a686b111d58b0646e
SHA512 3963967daeccb5300818d30fd8fdd45cf170dd6393741eb327cf55a2566863d3c61925ddd2c97f6afd06086b889863ea42e7c26a833d050d53f04e5a0c02b158

memory/4920-142-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3724-143-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/3724-144-0x0000000070400000-0x0000000070757000-memory.dmp

memory/400-162-0x00000000059A0000-0x0000000005CF7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ac5b54cef2e48ad981435313ce88edb8
SHA1 19c5319eda99aaf6fbfd5f310435064184a5320e
SHA256 dd3e82507d58487c3d79fa30523fb6df500768a93d73b519a9da61b702f50da9
SHA512 38aadfff35618f87f96e047f071dec8febc685fdd1de4e116f206172549d91b72379f55d5dd5de94a2d0cb27f5b614f0686d3dd6c6c9a5731c69e49930ccbcc1

memory/400-164-0x0000000005E50000-0x0000000005E9C000-memory.dmp

memory/400-165-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/400-166-0x0000000070320000-0x0000000070677000-memory.dmp

memory/400-175-0x0000000007040000-0x00000000070E4000-memory.dmp

memory/400-176-0x0000000007370000-0x0000000007381000-memory.dmp

memory/400-177-0x00000000057F0000-0x0000000005805000-memory.dmp

memory/2952-187-0x00000000063B0000-0x0000000006707000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5609c0a4fe0ba6706e41e0f5e3630235
SHA1 45044c0bbeca431a77bd183201b9c5ed653e4182
SHA256 015e981409211b12e0c4648c62350b89a595cde4bbb0ed0b3b0debe15fd83c71
SHA512 ea0d21f33818585302c1497061b68266d9d3f42dac1fe32c3d9d7c454c071c47b4b937ae2e74eea5577f5838c77358179968bfb06a61110f01cde9bf0a99e80f

memory/2952-189-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/2952-190-0x0000000070340000-0x0000000070697000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4920-206-0x0000000000400000-0x0000000002B0D000-memory.dmp