Malware Analysis Report

2025-01-02 06:40

Sample ID 240515-sqj4jafc9z
Target 44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065
SHA256 44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065

Threat Level: Known bad

The file 44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Program crash

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 15:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 15:19

Reported

2024-05-15 15:22

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4204 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\system32\cmd.exe
PID 3440 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3012 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3440 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3440 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3440 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3440 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\rss\csrss.exe
PID 3440 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\rss\csrss.exe
PID 3440 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\rss\csrss.exe
PID 3768 wrote to memory of 212 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 212 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 212 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 1804 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 1804 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 1804 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 3420 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 3420 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 3420 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3768 wrote to memory of 4844 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3768 wrote to memory of 4844 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2284 wrote to memory of 3484 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 3484 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 3484 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 4244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3484 wrote to memory of 4244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3484 wrote to memory of 4244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe

"C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe

"C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 deaae78c-62db-46c1-968b-5440d26684c2.uuid.filesdumpplace.org udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server4.filesdumpplace.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server4.filesdumpplace.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server4.filesdumpplace.org tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 106.196.17.2.in-addr.arpa udp
BG 185.82.216.96:443 server4.filesdumpplace.org tcp

Files

memory/4204-1-0x0000000004970000-0x0000000004D78000-memory.dmp

memory/4204-2-0x0000000004D80000-0x000000000566B000-memory.dmp

memory/4204-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4428-4-0x000000007489E000-0x000000007489F000-memory.dmp

memory/4428-5-0x0000000002740000-0x0000000002776000-memory.dmp

memory/4428-6-0x0000000004F90000-0x00000000055B8000-memory.dmp

memory/4428-7-0x0000000074890000-0x0000000075040000-memory.dmp

memory/4428-8-0x0000000074890000-0x0000000075040000-memory.dmp

memory/4428-9-0x0000000004E80000-0x0000000004EA2000-memory.dmp

memory/4428-11-0x0000000005750000-0x00000000057B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kcvcva4s.s5n.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4428-10-0x0000000005670000-0x00000000056D6000-memory.dmp

memory/4428-21-0x00000000057C0000-0x0000000005B14000-memory.dmp

memory/4428-22-0x0000000005D30000-0x0000000005D4E000-memory.dmp

memory/4428-23-0x00000000062B0000-0x00000000062FC000-memory.dmp

memory/4428-24-0x0000000006EB0000-0x0000000006EF4000-memory.dmp

memory/4428-25-0x0000000007070000-0x00000000070E6000-memory.dmp

memory/4428-26-0x0000000007770000-0x0000000007DEA000-memory.dmp

memory/4428-27-0x0000000007110000-0x000000000712A000-memory.dmp

memory/4428-30-0x00000000708B0000-0x0000000070C04000-memory.dmp

memory/4428-29-0x0000000070730000-0x000000007077C000-memory.dmp

memory/4428-28-0x00000000072C0000-0x00000000072F2000-memory.dmp

memory/4428-41-0x0000000074890000-0x0000000075040000-memory.dmp

memory/4428-40-0x0000000007300000-0x000000000731E000-memory.dmp

memory/4428-43-0x0000000007320000-0x00000000073C3000-memory.dmp

memory/4428-44-0x0000000074890000-0x0000000075040000-memory.dmp

memory/4204-42-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4428-45-0x0000000007410000-0x000000000741A000-memory.dmp

memory/4428-46-0x00000000074D0000-0x0000000007566000-memory.dmp

memory/4428-47-0x0000000007430000-0x0000000007441000-memory.dmp

memory/4428-48-0x0000000007470000-0x000000000747E000-memory.dmp

memory/4428-49-0x0000000007480000-0x0000000007494000-memory.dmp

memory/4428-50-0x0000000007570000-0x000000000758A000-memory.dmp

memory/4428-51-0x00000000074C0000-0x00000000074C8000-memory.dmp

memory/4428-54-0x0000000074890000-0x0000000075040000-memory.dmp

memory/4204-56-0x0000000004970000-0x0000000004D78000-memory.dmp

memory/4204-57-0x0000000004D80000-0x000000000566B000-memory.dmp

memory/2152-67-0x0000000070730000-0x000000007077C000-memory.dmp

memory/2152-68-0x00000000708B0000-0x0000000070C04000-memory.dmp

memory/2152-78-0x0000000006FF0000-0x0000000007093000-memory.dmp

memory/2152-79-0x0000000007300000-0x0000000007311000-memory.dmp

memory/4204-81-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2152-80-0x0000000007350000-0x0000000007364000-memory.dmp

memory/4204-82-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2736-95-0x0000000005E20000-0x0000000006174000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d29dd61feb44d7739c598bb2e601e17b
SHA1 cdcf863c62ffbe7443b655d7e7743c5f57f5b851
SHA256 91c5ab8cf69a03a803c7d80f099a65f771c380d5415f5db482cffa50c22407c9
SHA512 851fab08ae09605deb6d9d6674bda8131cbbb2886e5435098a0f8ba0da71c9166870845e694f2baab5745a43e94760c3e108067c4f31aa2f308db5e2539d94c2

memory/2736-98-0x0000000070ED0000-0x0000000071224000-memory.dmp

memory/2736-97-0x0000000070730000-0x000000007077C000-memory.dmp

memory/4844-118-0x00000000059F0000-0x0000000005D44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 55790aa88e2fc50d8a9e56e50a106e6d
SHA1 c426d2334d2022d4347dce516efce072813947ab
SHA256 1cba620ddc5be90b34e6b9ca0d9d1347e0d1829b6eea45e046eba78d03f9f6df
SHA512 19c6f90c93ee89c51dc6d4ffbb369ab21eb9e92e7cc09f1ae84e587fd7a30e5f142e47ac249d2db92f4627a8fdf2c5c89b23b2ecfa3e925823e0e2f26433d153

memory/4844-121-0x0000000070730000-0x000000007077C000-memory.dmp

memory/4844-122-0x0000000070B30000-0x0000000070E84000-memory.dmp

memory/3440-120-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 389f3cdc133d6d3e2f6402be33f55080
SHA1 fb2c0822f895b0d4c3a484c2ef47738850a5909f
SHA256 44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065
SHA512 4a9bc84bbb93a7d4da7653b648fbf1e5d07190c78e5fca91499aa87f4f5f99c07f99983e45b9eb4bd309829708b7d61be7ac36e2a0ec78351b71e6479e7f1b04

memory/3440-136-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 28d9b234652651cf294aacd9d99d107e
SHA1 12ee2034bc0cd55f3bfe718c27f0eef575b1ae9d
SHA256 874e0d9798b10c2a717455c5b168638958fda451a7b2887287740815116a963e
SHA512 22e98df9fd875b8784a4eb6560dce00d5618b6eb80e6cc9959559ab7a91edcc5e2fad1d5bda7badf53748f17ce94d128a43407cb2f7931d57eb9eb678b0233e6

memory/212-150-0x0000000070730000-0x000000007077C000-memory.dmp

memory/212-151-0x00000000708B0000-0x0000000070C04000-memory.dmp

memory/1804-171-0x0000000005680000-0x00000000059D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5e24952eeb8e6294aaee8b0ed290aa07
SHA1 e1e38509f59f1bef5188634dfcedad05c95a5fae
SHA256 32576c437429cb81c9aa6a54317ab9d30e4d403b865433690e80637d1e392ee4
SHA512 404e2f05f6f8518379bb4384d01f7e3ff37ff9a43bc67e6b01219bdc4d05a0825cdf52f4135233515db77c26a26bca7c017f899084b6039a904ad10bd134785a

memory/1804-173-0x0000000005BF0000-0x0000000005C3C000-memory.dmp

memory/1804-175-0x00000000707D0000-0x0000000070B24000-memory.dmp

memory/1804-185-0x0000000006E30000-0x0000000006ED3000-memory.dmp

memory/1804-174-0x0000000070650000-0x000000007069C000-memory.dmp

memory/1804-186-0x0000000007140000-0x0000000007151000-memory.dmp

memory/1804-187-0x0000000005A00000-0x0000000005A14000-memory.dmp

memory/3420-198-0x0000000006000000-0x0000000006354000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1991061173e0136d90358e7bcbe9c889
SHA1 2872aadcbe8975b404405f20118ed76bb70b63f5
SHA256 7584b1e03fb91d518cff80c5e94b51a80af12efe2ca0a74d7fa791a60dff4f45
SHA512 568934ee32d04710f560d4b6912bf5e009860fa52bd10813de530b3090f098a88f76ae8402301905214a239ceb693ed5d06a5fd91fcd74e9b8afe3fba1c4beaf

memory/3420-200-0x0000000070650000-0x000000007069C000-memory.dmp

memory/3420-201-0x0000000070D80000-0x00000000710D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3768-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2284-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2284-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3052-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3768-227-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3052-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3768-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3768-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3052-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3768-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3768-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3768-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3052-245-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3768-244-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3768-247-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3768-251-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3768-253-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3768-256-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 15:19

Reported

2024-05-15 15:22

Platform

win11-20240508-en

Max time kernel

150s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 3424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1820 wrote to memory of 3424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1232 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\rss\csrss.exe
PID 1232 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\rss\csrss.exe
PID 1232 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe C:\Windows\rss\csrss.exe
PID 2084 wrote to memory of 4580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 4580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 4580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 1180 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 1180 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 1180 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 3120 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2084 wrote to memory of 3120 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4420 wrote to memory of 2140 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 2140 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 2140 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2140 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2140 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe

"C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4956 -ip 4956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1900

C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe

"C:\Users\Admin\AppData\Local\Temp\44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 dca0dfd8-f26f-49c9-8a58-515e933ff304.uuid.filesdumpplace.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server7.filesdumpplace.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.96:443 server7.filesdumpplace.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server7.filesdumpplace.org tcp
US 52.111.229.43:443 tcp
BG 185.82.216.96:443 server7.filesdumpplace.org tcp

Files

memory/4068-1-0x0000000004850000-0x0000000004C4D000-memory.dmp

memory/4068-2-0x0000000004C50000-0x000000000553B000-memory.dmp

memory/4068-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4956-4-0x00000000743AE000-0x00000000743AF000-memory.dmp

memory/4956-5-0x0000000004BC0000-0x0000000004BF6000-memory.dmp

memory/4956-6-0x00000000743A0000-0x0000000074B51000-memory.dmp

memory/4956-7-0x0000000005370000-0x000000000599A000-memory.dmp

memory/4956-8-0x0000000005210000-0x0000000005232000-memory.dmp

memory/4956-9-0x0000000005AA0000-0x0000000005B06000-memory.dmp

memory/4956-10-0x0000000005B10000-0x0000000005B76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e43xs2q2.yfg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4956-19-0x0000000005B80000-0x0000000005ED7000-memory.dmp

memory/4956-20-0x0000000006030000-0x000000000604E000-memory.dmp

memory/4956-21-0x0000000006090000-0x00000000060DC000-memory.dmp

memory/4956-22-0x00000000065C0000-0x0000000006606000-memory.dmp

memory/4956-24-0x0000000007450000-0x0000000007484000-memory.dmp

memory/4956-25-0x0000000070610000-0x000000007065C000-memory.dmp

memory/4956-26-0x0000000070790000-0x0000000070AE7000-memory.dmp

memory/4956-35-0x00000000074B0000-0x00000000074CE000-memory.dmp

memory/4956-36-0x00000000074D0000-0x0000000007574000-memory.dmp

memory/4956-37-0x00000000743A0000-0x0000000074B51000-memory.dmp

memory/4068-23-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4956-38-0x0000000007C40000-0x00000000082BA000-memory.dmp

memory/4956-39-0x0000000007600000-0x000000000761A000-memory.dmp

memory/4956-40-0x0000000007640000-0x000000000764A000-memory.dmp

memory/4956-41-0x00000000743A0000-0x0000000074B51000-memory.dmp

memory/1292-48-0x00000000060F0000-0x0000000006447000-memory.dmp

memory/4068-53-0x0000000004850000-0x0000000004C4D000-memory.dmp

memory/1292-54-0x0000000070610000-0x000000007065C000-memory.dmp

memory/4068-55-0x0000000004C50000-0x000000000553B000-memory.dmp

memory/1292-65-0x0000000007880000-0x0000000007924000-memory.dmp

memory/1292-56-0x0000000070840000-0x0000000070B97000-memory.dmp

memory/4068-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1292-66-0x0000000007CB0000-0x0000000007D46000-memory.dmp

memory/1292-67-0x0000000007BD0000-0x0000000007BE1000-memory.dmp

memory/1292-68-0x0000000007C30000-0x0000000007C3E000-memory.dmp

memory/1292-69-0x0000000007C40000-0x0000000007C55000-memory.dmp

memory/1292-70-0x0000000007C80000-0x0000000007C9A000-memory.dmp

memory/1292-71-0x0000000007CA0000-0x0000000007CA8000-memory.dmp

memory/1232-74-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4984-84-0x00000000055C0000-0x0000000005917000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f6957b20dbfc47a6df07b6687d161377
SHA1 ffb11fe6dc323cb1bd4017f9a2c2d8dd67f91768
SHA256 4c310412714077c7663c2990124efa239b5b2e414d713bffb13d4a3df2ee48d8
SHA512 d4f82bc0035390eddeb769c22e592dc9204319f4fe93cf7cfbe996f336844f539e118e0c8eb7327c3c231b1a1734cc3b32b8d568b0f4fef667ddfcdaa44e0041

memory/4984-87-0x00000000707B0000-0x0000000070B07000-memory.dmp

memory/4984-86-0x0000000070610000-0x000000007065C000-memory.dmp

memory/4068-96-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1664-98-0x0000000005CB0000-0x0000000006007000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 049caad8d4c9de846a9a0310957573c6
SHA1 46b2b4f2421872c46efdb85c450b5edd3d55532c
SHA256 d97532bf91d45a7507dabd55e7f761ebac40091d555848eb8676e57bb707e6c3
SHA512 40300260ebdc166cb2041ee448203cbef18c31559c0aaca7c4204a8044657e6c890be96479f586842d0df941b02cba1e6c257b455c46170daa9fbed00304325c

memory/1664-108-0x0000000070610000-0x000000007065C000-memory.dmp

memory/1664-109-0x0000000070880000-0x0000000070BD7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 389f3cdc133d6d3e2f6402be33f55080
SHA1 fb2c0822f895b0d4c3a484c2ef47738850a5909f
SHA256 44b554dece2046b48d3d47dea5bfb8e0a58ccf5b1f8b3bd5090e07739e0c3065
SHA512 4a9bc84bbb93a7d4da7653b648fbf1e5d07190c78e5fca91499aa87f4f5f99c07f99983e45b9eb4bd309829708b7d61be7ac36e2a0ec78351b71e6479e7f1b04

memory/1232-122-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fbed158cb9165fa66f40396e5e9e6c6a
SHA1 785aa6c8db1e336d46d9814a18b5edd403d6d44d
SHA256 8e43d26a94a22bc7e4706e5377bfeef877544125f2343a84c9b05b9e6aa72e3f
SHA512 4eb81df8e7c36309d69631f86d70a21c4a835041f36b1839b1cf42dd02c7e70cb4513ba8d2c78ca733a0554fa14f67b2abcef15567c7000f6a31bf3bff55bb41

memory/4580-136-0x0000000070610000-0x000000007065C000-memory.dmp

memory/4580-137-0x00000000707B0000-0x0000000070B07000-memory.dmp

memory/3220-155-0x00000000058C0000-0x0000000005C17000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b61dfbd0cc58a3b055e950e4fc4e23a6
SHA1 4cbe30c310051504c21ed2fdc498e42c7bad5581
SHA256 2ec5a35a287f3f2ca959d4ca435659dcacb612237072f65db0afcfd1dad4716d
SHA512 0ecc1953cf1120581c4bfce0a05f72d638cc6915d64149051f354c9b58412627a44b0782383ebec3baa5b331f6f1ff6bd87a84a49854d8b886259372645bb7f3

memory/3220-157-0x0000000006170000-0x00000000061BC000-memory.dmp

memory/3220-158-0x0000000070530000-0x000000007057C000-memory.dmp

memory/3220-159-0x00000000706B0000-0x0000000070A07000-memory.dmp

memory/3220-168-0x0000000007070000-0x0000000007114000-memory.dmp

memory/3220-169-0x00000000073B0000-0x00000000073C1000-memory.dmp

memory/3220-170-0x0000000005C40000-0x0000000005C55000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4c58e4115ad73c91c72dfed1b623fb6a
SHA1 09d0ee8fb9b1151d45018fc858acc048caf80d0e
SHA256 63d8b8d31dbe1dfa2f0b5796e92452e01511423e1891b769e228c0f84de8215e
SHA512 5f321fc37bc7b1214bf1ce268aca21f6db3411ddf007328c28785700614351e3401e763f9a98ad4ded3a59dba4bcf299a5d8f4f8053d12528b10bf5468edd014

memory/1180-182-0x0000000070530000-0x000000007057C000-memory.dmp

memory/1180-183-0x00000000706B0000-0x0000000070A07000-memory.dmp

memory/2084-193-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4420-203-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4000-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4420-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2084-206-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4000-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2084-211-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2084-214-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4000-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2084-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2084-220-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2084-223-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2084-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2084-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2084-232-0x0000000000400000-0x0000000002B0B000-memory.dmp