Malware Analysis Report

2024-12-08 02:05

Sample ID 240516-lq19gsfb35
Target 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24
SHA256 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24

Threat Level: Known bad

The file 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 09:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 09:45

Reported

2024-05-16 09:47

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4688 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4688 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4688 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5768 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5768 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5768 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5768 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\system32\cmd.exe
PID 5768 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\system32\cmd.exe
PID 3508 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3508 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5768 wrote to memory of 5752 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5768 wrote to memory of 5752 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5768 wrote to memory of 5752 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5768 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5768 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5768 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5768 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\rss\csrss.exe
PID 5768 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\rss\csrss.exe
PID 5768 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\rss\csrss.exe
PID 2892 wrote to memory of 6112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 6112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 6112 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 3872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 3872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 3872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 1824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 1824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 1824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 5624 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2892 wrote to memory of 5624 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 976 wrote to memory of 3080 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 3080 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 3080 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3080 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3080 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe

"C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe

"C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 248.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 d3d1dd78-8e70-4093-8782-9ebfbfcbca03.uuid.dumperstats.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server9.dumperstats.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.111:443 server9.dumperstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
BG 185.82.216.111:443 server9.dumperstats.org tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BG 185.82.216.111:443 server9.dumperstats.org tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4688-1-0x0000000002920000-0x0000000002D21000-memory.dmp

memory/4688-2-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/4688-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5356-4-0x000000007490E000-0x000000007490F000-memory.dmp

memory/5356-5-0x0000000002BD0000-0x0000000002C06000-memory.dmp

memory/5356-6-0x0000000005460000-0x0000000005A88000-memory.dmp

memory/5356-7-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/5356-8-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/5356-9-0x0000000005270000-0x0000000005292000-memory.dmp

memory/5356-10-0x0000000005B00000-0x0000000005B66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eih3qnzi.fpo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5356-11-0x0000000005B70000-0x0000000005BD6000-memory.dmp

memory/5356-21-0x0000000005D20000-0x0000000006074000-memory.dmp

memory/5356-22-0x00000000061C0000-0x00000000061DE000-memory.dmp

memory/5356-23-0x0000000006200000-0x000000000624C000-memory.dmp

memory/5356-24-0x0000000006730000-0x0000000006774000-memory.dmp

memory/5356-25-0x00000000074E0000-0x0000000007556000-memory.dmp

memory/5356-26-0x0000000007BE0000-0x000000000825A000-memory.dmp

memory/5356-27-0x0000000007580000-0x000000000759A000-memory.dmp

memory/5356-29-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/5356-28-0x0000000007740000-0x0000000007772000-memory.dmp

memory/5356-31-0x0000000070920000-0x0000000070C74000-memory.dmp

memory/5356-30-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/5356-43-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/5356-42-0x00000000077A0000-0x0000000007843000-memory.dmp

memory/5356-41-0x0000000007780000-0x000000000779E000-memory.dmp

memory/5356-44-0x0000000007890000-0x000000000789A000-memory.dmp

memory/5356-45-0x0000000007950000-0x00000000079E6000-memory.dmp

memory/5356-46-0x00000000078B0000-0x00000000078C1000-memory.dmp

memory/5356-47-0x00000000078F0000-0x00000000078FE000-memory.dmp

memory/5356-48-0x0000000007900000-0x0000000007914000-memory.dmp

memory/5356-49-0x00000000079F0000-0x0000000007A0A000-memory.dmp

memory/5356-50-0x0000000007940000-0x0000000007948000-memory.dmp

memory/5356-53-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/5768-55-0x0000000002A10000-0x0000000002E18000-memory.dmp

memory/5088-56-0x0000000005540000-0x0000000005894000-memory.dmp

memory/5088-66-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/5088-67-0x0000000070F20000-0x0000000071274000-memory.dmp

memory/5088-77-0x0000000006CB0000-0x0000000006D53000-memory.dmp

memory/5088-78-0x0000000006F70000-0x0000000006F81000-memory.dmp

memory/5088-79-0x0000000006FC0000-0x0000000006FD4000-memory.dmp

memory/4688-82-0x0000000002920000-0x0000000002D21000-memory.dmp

memory/4688-83-0x0000000002D30000-0x000000000361B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0975f598f02e71d07f4da6ff27edc938
SHA1 436c266276e0a0fc76d11ee2d3fe1c2ffd869333
SHA256 86f44f65e1b914caeddffa4cbac3450f6cbb62b751fd0775def0852fb7d616a5
SHA512 b245bf107cc0f8aca0fa59bfcd667e4adc5a67a46eb7c1cd8fc467ffad0015aa5096f6a0ac8fdd1a9ee7a80fe161f7e68b59d19048e5259c9a586ad5b03afdc0

memory/5752-95-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/5752-96-0x0000000070F20000-0x0000000071274000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 667f1d540fa3e05d5cc8882e525b4a9a
SHA1 46c93dc38f83cda98febc540b47258e27e09e528
SHA256 ac0633d05094bf40dcdf97c778a96dcfd0a5e3db0a66a51f57a8b33c262d347a
SHA512 ba8a6d47f31926eac666316c285cf84802579e59c781093c63ac38eada4e0924ea37b4f26611a6a3eb36d51082ab196f4e02934e57c28789e9751839ca01f919

memory/3440-117-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/3440-118-0x0000000070F20000-0x0000000071274000-memory.dmp

memory/4688-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0daf5e326061c070849efb41ec2479f6
SHA1 d047abb419a0b0751f5f9776581e2eccf2203c00
SHA256 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24
SHA512 bfb0213969194c4f87ea602d9a7cf9a84e49e72c735a52803cc447c5850ebd1ef5421535577fad7fa47277d32d93408f8979626a4d71a18b1df3844d56537521

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 962403d9ad8f477dfba2f8023f88891b
SHA1 2aad90036337dae0c589911276e38a303b618fc7
SHA256 0d2fe44693ff7f869873a968d603bf7467c90fc5a14be6139b839230b684b7ae
SHA512 a93e8cf2353f4d12dc4f66e89026b6fd7d8cd83ec077e9285ea13ee37acc39588ee177440c4ff9e05ee005d8fe49f63a9dde4ae757b41fe931d62b7ef422393c

memory/6112-145-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/6112-146-0x0000000070920000-0x0000000070C74000-memory.dmp

memory/3872-166-0x0000000006060000-0x00000000063B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1c2a59bbe379514d2578a40ef65e1c97
SHA1 6956241d62d128898107950801da18e8a4f11330
SHA256 b33a4666a9ec1aa605a061caa09f360a0b1720a88f936ace3c89a80e0781d81b
SHA512 2240d92d5f47421aff299c2022d7f1042c63a3b60f2bb795c3cb5bd7d0b56bb6439808b2ba7adfa6f86f477194fc5a043fee20a1c59fff11b48486ba8a2abcdd

memory/3872-168-0x0000000006AA0000-0x0000000006AEC000-memory.dmp

memory/3872-169-0x00000000706C0000-0x000000007070C000-memory.dmp

memory/3872-170-0x0000000070840000-0x0000000070B94000-memory.dmp

memory/3872-180-0x0000000007790000-0x0000000007833000-memory.dmp

memory/5768-181-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3872-182-0x0000000007AE0000-0x0000000007AF1000-memory.dmp

memory/3872-183-0x0000000005FC0000-0x0000000005FD4000-memory.dmp

memory/1824-185-0x00000000057C0000-0x0000000005B14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 39a0f164788917c3024e7d4c7e89deb5
SHA1 03b3eab1f489fa6b06630d20f9e43ca7244c3599
SHA256 ade61ac6d049b49b211078b31825729dbf79a8ab3abe0a956bc05dff3dbc0936
SHA512 845d358c69725acafcdbfb08d8f19213303a90cf6ef3dbc56276f6fc119679a1622b062998e26d2ba7027b377f0fcef273626f7b56dcf19c30b8c464851669cb

memory/1824-196-0x00000000706C0000-0x000000007070C000-memory.dmp

memory/1824-197-0x0000000070E50000-0x00000000711A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2892-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5768-216-0x0000000002A10000-0x0000000002E18000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/976-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1852-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/976-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2892-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1852-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2892-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2892-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1852-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2892-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2892-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2892-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2892-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2892-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2892-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2892-262-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2892-267-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2892-271-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 09:45

Reported

2024-05-16 09:47

Platform

win11-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 564 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\system32\cmd.exe
PID 2352 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2196 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2352 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\rss\csrss.exe
PID 2352 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\rss\csrss.exe
PID 2352 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe C:\Windows\rss\csrss.exe
PID 3536 wrote to memory of 1408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 1408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 1408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 3628 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 3628 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 3628 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 1876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 1876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 1876 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 4832 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3536 wrote to memory of 4832 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4768 wrote to memory of 240 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 240 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 240 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 240 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 240 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe

"C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe

"C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 server5.dumperstats.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.111:443 server5.dumperstats.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server5.dumperstats.org tcp
BG 185.82.216.111:443 server5.dumperstats.org tcp
BG 185.82.216.111:443 server5.dumperstats.org tcp

Files

memory/564-1-0x0000000002A60000-0x0000000002E59000-memory.dmp

memory/564-2-0x0000000002E60000-0x000000000374B000-memory.dmp

memory/564-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/664-4-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

memory/664-5-0x0000000002A70000-0x0000000002AA6000-memory.dmp

memory/664-7-0x00000000053C0000-0x00000000059EA000-memory.dmp

memory/664-6-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/664-8-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/664-9-0x0000000005090000-0x00000000050B2000-memory.dmp

memory/664-11-0x00000000059F0000-0x0000000005A56000-memory.dmp

memory/664-10-0x0000000005330000-0x0000000005396000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lwpdqxf4.s5p.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/664-20-0x0000000005A60000-0x0000000005DB7000-memory.dmp

memory/664-21-0x0000000005F30000-0x0000000005F4E000-memory.dmp

memory/664-22-0x0000000005FC0000-0x000000000600C000-memory.dmp

memory/664-23-0x00000000064A0000-0x00000000064E6000-memory.dmp

memory/664-25-0x0000000071010000-0x000000007105C000-memory.dmp

memory/664-24-0x0000000007350000-0x0000000007384000-memory.dmp

memory/664-26-0x0000000071280000-0x00000000715D7000-memory.dmp

memory/664-37-0x00000000073B0000-0x0000000007454000-memory.dmp

memory/664-36-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/664-35-0x0000000007390000-0x00000000073AE000-memory.dmp

memory/664-38-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/664-40-0x00000000074E0000-0x00000000074FA000-memory.dmp

memory/664-39-0x0000000007B20000-0x000000000819A000-memory.dmp

memory/664-41-0x0000000007520000-0x000000000752A000-memory.dmp

memory/664-42-0x0000000007630000-0x00000000076C6000-memory.dmp

memory/664-43-0x0000000007560000-0x0000000007571000-memory.dmp

memory/664-44-0x00000000075B0000-0x00000000075BE000-memory.dmp

memory/664-45-0x00000000075C0000-0x00000000075D5000-memory.dmp

memory/664-46-0x0000000007610000-0x000000000762A000-memory.dmp

memory/664-47-0x00000000076D0000-0x00000000076D8000-memory.dmp

memory/664-50-0x0000000074DA0000-0x0000000075551000-memory.dmp

memory/564-52-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/564-53-0x0000000002E60000-0x000000000374B000-memory.dmp

memory/2352-55-0x0000000002A40000-0x0000000002E3A000-memory.dmp

memory/3564-64-0x0000000005AF0000-0x0000000005E47000-memory.dmp

memory/3564-65-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

memory/3564-66-0x0000000071120000-0x000000007116C000-memory.dmp

memory/3564-67-0x0000000071370000-0x00000000716C7000-memory.dmp

memory/3564-76-0x00000000071D0000-0x0000000007274000-memory.dmp

memory/3564-77-0x0000000007500000-0x0000000007511000-memory.dmp

memory/3564-78-0x0000000007550000-0x0000000007565000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/1420-90-0x00000000060E0000-0x0000000006437000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 749c1c4116eff054cb0cd4785dab9d04
SHA1 c9f59b6903553bc930139e84d08946856e1dfb32
SHA256 bd84399556324d6909874dcbf9059397afc87e10022df8b3db16abe175dfb128
SHA512 ac1aaf9ed0d4fe07df6cf8ba51f110f34652a9f803d4b76875f163de6eba81e015e7b1c15b2a4769fdcb1e9deb982c9ea37a7fe57ab8fd655538a6880c57d2ba

memory/1420-93-0x00000000712A0000-0x00000000715F7000-memory.dmp

memory/1420-92-0x0000000071120000-0x000000007116C000-memory.dmp

memory/4732-111-0x00000000059B0000-0x0000000005D07000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b5b12d5b724b2be7f855305e3367e7ed
SHA1 51a7b59a575b22c5885b4ba2015dcb945b84776b
SHA256 4349b6289d058b71b66285c7ed3f559a11bf2b4f60c95666a0ceb92b1c1eacbd
SHA512 4b4bd4e2f85ec9f68fd985482f253b929bc285ea99ae71c13d8f2e72eca5b4de3dbca5ddc0e50ea6ebfc67e6ab59210379438d59967f7ad2019712a8abc5ef2e

memory/4732-113-0x0000000071120000-0x000000007116C000-memory.dmp

memory/4732-114-0x0000000071330000-0x0000000071687000-memory.dmp

memory/2352-123-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0daf5e326061c070849efb41ec2479f6
SHA1 d047abb419a0b0751f5f9776581e2eccf2203c00
SHA256 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24
SHA512 bfb0213969194c4f87ea602d9a7cf9a84e49e72c735a52803cc447c5850ebd1ef5421535577fad7fa47277d32d93408f8979626a4d71a18b1df3844d56537521

memory/2352-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1fba23264d367a4d7aee2d79ef798134
SHA1 f98290a24a27da2f76ff7763bc29c95bbeeadcd0
SHA256 25713c406b0c1fef9ead996c2b97f9d5a3cd6aadc7ae5bc03b09aaac3fd174bc
SHA512 b468c9dafb9ef90b694fe2ffdb37afab6c38c21dba9c7dfe290a9e7566e708028eb252d5b210410dba4867025ed9dab59d50aa4ae8be4fcfbf6589778382c0bc

memory/1408-140-0x0000000005E30000-0x0000000006187000-memory.dmp

memory/1408-141-0x0000000006620000-0x000000000666C000-memory.dmp

memory/1408-142-0x0000000071080000-0x00000000710CC000-memory.dmp

memory/1408-143-0x0000000071200000-0x0000000071557000-memory.dmp

memory/1408-152-0x0000000007550000-0x00000000075F4000-memory.dmp

memory/1408-153-0x0000000005C60000-0x0000000005C71000-memory.dmp

memory/1408-154-0x0000000005DF0000-0x0000000005E05000-memory.dmp

memory/3628-164-0x0000000005E50000-0x00000000061A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a3d29e05dc8de523820cc7345b94f29d
SHA1 39089fec0197caadb345b25716872ecaf07fd2b5
SHA256 b4c2d0135e8fcf8ed14bb19717dae74f6f5ff5f3ace200e236d503d30a7943b9
SHA512 0ae57d650c2e31c250a1fceda54b415abc4b30a23bd339578a6cb9ab5f9895c7f1fbf905f0a0ef4311d07eb5ad4b0ad5ed4d13172a93b46dec04dc0cb4248a58

memory/3628-166-0x0000000006680000-0x00000000066CC000-memory.dmp

memory/3628-167-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

memory/3628-168-0x00000000711B0000-0x0000000071507000-memory.dmp

memory/3628-177-0x0000000007670000-0x0000000007714000-memory.dmp

memory/3628-178-0x0000000007A00000-0x0000000007A11000-memory.dmp

memory/3628-179-0x0000000006200000-0x0000000006215000-memory.dmp

memory/1876-189-0x0000000005BC0000-0x0000000005F17000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 73874ed0024200ce5e109ec3b4b29bc4
SHA1 67b34a2e92801fdaf05a5f348cb87a635e30da89
SHA256 4ac7182749487372605e292569c94acb03f25ada95314105c1dff8502912536e
SHA512 db6e43184bbdd284a8e5dd85e994cb6121635ffa8540b56ae99ab3acdbc5abf17fb44f76a9bbf26a704ed1918cafcd5e3091c4e7355c1f65d17d7156c419e2b1

memory/1876-191-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

memory/1876-192-0x0000000071120000-0x0000000071477000-memory.dmp

memory/3536-201-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3536-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4768-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/564-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4768-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3536-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/564-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3536-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3536-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/564-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3536-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3536-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3536-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3536-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3536-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3536-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3536-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3536-237-0x0000000000400000-0x0000000000D1C000-memory.dmp