Malware Analysis Report

2025-08-05 12:17

Sample ID 240419-x5ppsadc78
Target 7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5
SHA256 7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5

Threat Level: Known bad

The file 7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Program crash

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 19:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 19:26

Reported

2024-04-19 19:29

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\system32\cmd.exe
PID 4600 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2368 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4600 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\rss\csrss.exe
PID 4600 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\rss\csrss.exe
PID 4600 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\rss\csrss.exe
PID 4468 wrote to memory of 2836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\sc.exe
PID 4468 wrote to memory of 2836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\sc.exe
PID 4468 wrote to memory of 2836 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\sc.exe
PID 4468 wrote to memory of 908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 4352 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 4352 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 4352 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 1284 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4468 wrote to memory of 1284 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1496 wrote to memory of 456 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 456 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 456 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 456 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 456 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe

"C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe

"C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 9e8fadb2-8458-4430-acad-947e0bc56fe5.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server5.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.108:443 server5.databaseupgrade.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
NL 74.125.128.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
BG 185.82.216.108:443 server5.databaseupgrade.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.108:443 server5.databaseupgrade.ru tcp
N/A 127.0.0.1:31465 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/1928-1-0x0000000003CA0000-0x000000000409A000-memory.dmp

memory/1928-2-0x00000000040A0000-0x000000000498B000-memory.dmp

memory/1928-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/456-5-0x0000000074960000-0x0000000075110000-memory.dmp

memory/456-4-0x0000000002C30000-0x0000000002C66000-memory.dmp

memory/456-7-0x0000000005040000-0x0000000005050000-memory.dmp

memory/456-6-0x0000000005040000-0x0000000005050000-memory.dmp

memory/456-8-0x0000000005680000-0x0000000005CA8000-memory.dmp

memory/456-9-0x0000000005350000-0x0000000005372000-memory.dmp

memory/456-11-0x0000000005470000-0x00000000054D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qlbq4yyh.rgf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/456-10-0x0000000005400000-0x0000000005466000-memory.dmp

memory/456-21-0x0000000005CB0000-0x0000000006004000-memory.dmp

memory/456-22-0x0000000006220000-0x000000000623E000-memory.dmp

memory/456-23-0x0000000006260000-0x00000000062AC000-memory.dmp

memory/456-24-0x0000000006780000-0x00000000067C4000-memory.dmp

memory/456-25-0x0000000007350000-0x00000000073C6000-memory.dmp

memory/456-26-0x0000000007C80000-0x00000000082FA000-memory.dmp

memory/456-27-0x0000000007600000-0x000000000761A000-memory.dmp

memory/456-29-0x00000000077A0000-0x00000000077D2000-memory.dmp

memory/456-28-0x000000007F3D0000-0x000000007F3E0000-memory.dmp

memory/456-30-0x0000000070800000-0x000000007084C000-memory.dmp

memory/456-31-0x0000000070BD0000-0x0000000070F24000-memory.dmp

memory/456-42-0x00000000077E0000-0x00000000077FE000-memory.dmp

memory/456-41-0x0000000005040000-0x0000000005050000-memory.dmp

memory/456-43-0x0000000007800000-0x00000000078A3000-memory.dmp

memory/456-44-0x00000000078F0000-0x00000000078FA000-memory.dmp

memory/456-45-0x00000000079C0000-0x0000000007A56000-memory.dmp

memory/456-46-0x0000000007920000-0x0000000007931000-memory.dmp

memory/456-47-0x0000000007960000-0x000000000796E000-memory.dmp

memory/456-48-0x0000000007970000-0x0000000007984000-memory.dmp

memory/456-49-0x0000000007A60000-0x0000000007A7A000-memory.dmp

memory/456-50-0x00000000079A0000-0x00000000079A8000-memory.dmp

memory/456-53-0x0000000074960000-0x0000000075110000-memory.dmp

memory/1928-54-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1928-57-0x00000000040A0000-0x000000000498B000-memory.dmp

memory/4600-56-0x0000000003900000-0x0000000003D04000-memory.dmp

memory/4600-58-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2764-59-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/2764-61-0x0000000002B20000-0x0000000002B30000-memory.dmp

memory/2764-60-0x0000000002B20000-0x0000000002B30000-memory.dmp

memory/2764-71-0x0000000005D80000-0x00000000060D4000-memory.dmp

memory/2764-72-0x0000000006670000-0x00000000066BC000-memory.dmp

memory/2764-73-0x0000000070900000-0x000000007094C000-memory.dmp

memory/2764-74-0x000000007F4F0000-0x000000007F500000-memory.dmp

memory/2764-75-0x0000000070A80000-0x0000000070DD4000-memory.dmp

memory/2764-86-0x0000000002B20000-0x0000000002B30000-memory.dmp

memory/2764-87-0x0000000002B20000-0x0000000002B30000-memory.dmp

memory/2764-85-0x0000000007340000-0x00000000073E3000-memory.dmp

memory/2764-88-0x0000000007650000-0x0000000007661000-memory.dmp

memory/2764-89-0x00000000076A0000-0x00000000076B4000-memory.dmp

memory/2764-92-0x0000000074A00000-0x00000000751B0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4704-94-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/4704-96-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/4704-95-0x00000000059C0000-0x0000000005D14000-memory.dmp

memory/4704-97-0x0000000004A90000-0x0000000004AA0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 082d6f4c2484cfd819b3c081b4274d61
SHA1 782d5d5ed336523eddd46b57bb6b56c60355c55c
SHA256 4f0a1e20fe0a377f88ba1230b562cb3002d37af24cce0a6917840ff95fbd28e4
SHA512 bd7575bf183c65489e3650d41774820acaaface1e148abaad3fb9568ec603f5367e8ba13ea7f5d99b3f55a313e3ba620be07d19f84b8ff2dfcf7905261f66aeb

memory/4704-109-0x0000000070900000-0x000000007094C000-memory.dmp

memory/4704-108-0x000000007F2E0000-0x000000007F2F0000-memory.dmp

memory/4704-110-0x0000000071090000-0x00000000713E4000-memory.dmp

memory/4600-120-0x0000000003900000-0x0000000003D04000-memory.dmp

memory/4704-121-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/4704-123-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/3740-124-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/3740-125-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/3740-136-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/3740-131-0x0000000005B30000-0x0000000005E84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 58aa4ab4114f764cc341d7441e5329a9
SHA1 81af705e98b30f97af460ef28d157bd3b9cb5ed0
SHA256 59e57cece5c8518097ef9ca382e86a2ab63f012d31c79abb7ce9e614d922ed36
SHA512 8f784bd9d71427a77ba179a091df771578ad28d46eb6a54a18b7b16452c3662c8f980955ad5a65e272b3ce1d9e20a318c510cbc3a2ce452b4d5ff4455b992f4b

C:\Windows\rss\csrss.exe

MD5 bc162161fbbacbb8e9cc0ad7601df247
SHA1 732d1aa81ed81ffb8c64e824d1516ef73ba44183
SHA256 7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5
SHA512 c73d1fa6958e5c3cbffe21ee527411e12427b76e8e4dee3297dc552bdaecf91a39e1a000d941a0c3fac51f1b60b0217b7dc01494709ecd9d1fd67e37ecb4ea52

memory/4600-158-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9940a6a3d8d539902c4e5c393e46a05f
SHA1 60eadc696a186d306d93db3db4c8777296e52b51
SHA256 1e1558a3d8fe94b1d73e12b140bd5fd9af4f42446d04a73339420c3daa784909
SHA512 fad3c59d2ace7ca27dfa7ba35e5f516fa845a87e51928a1c365d36cbfed57537f7bcb03cbadbeba0139e52080dbc18d5dbf73994351a89c2b7d34cce2fe200a7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5b28333267ad1b23928e10ba15bc1e45
SHA1 297f5e09bea532daade9d29f010ae814af3e93b0
SHA256 bbe4168c5b456cc86aab729fca75144215c3bdc5e1c808cd1aa913919fd71db9
SHA512 6a2b100025a4278c2c9635e118f6211fda6b94b79b810753257ba54822dfb716cb0e2b58cfe5accd46bdbb087d610473091f1f45f484ecaf39e2786c651e7181

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 96744adccf56be14cd37b72532e68403
SHA1 f1d0135f6ac6ff4535e2b8ec32f5cb33fa903586
SHA256 8a3bd82497213afb18b5e1e1d05a402f9e27ca266dc57b7638ec6a8e1406710f
SHA512 539e6263344317b564ed9fca214e362394b6bc3ff53c2381734d68a321ddde401c163873cd70850f67d2ef0ba38a6f6ea3061e1a38aee33070705ab5310d8b57

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4468-264-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1496-272-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4468-273-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1740-274-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4468-275-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-277-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1740-278-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4468-279-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-281-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-283-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-285-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-287-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-289-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-291-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-293-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-295-0x0000000000400000-0x0000000001E08000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 19:26

Reported

2024-04-19 19:28

Platform

win11-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3816 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3816 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3816 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\system32\cmd.exe
PID 4800 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\system32\cmd.exe
PID 788 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 788 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4800 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\rss\csrss.exe
PID 4800 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\rss\csrss.exe
PID 4800 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe C:\Windows\rss\csrss.exe
PID 3872 wrote to memory of 4412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3872 wrote to memory of 4412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3872 wrote to memory of 4412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3872 wrote to memory of 4728 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3872 wrote to memory of 4728 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3872 wrote to memory of 4728 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3872 wrote to memory of 4952 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3872 wrote to memory of 4952 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3872 wrote to memory of 4952 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3872 wrote to memory of 4820 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3872 wrote to memory of 4820 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 976 wrote to memory of 4200 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 4200 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 4200 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4200 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4200 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4200 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe

"C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2492 -ip 2492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 2580

C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe

"C:\Users\Admin\AppData\Local\Temp\7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3816 -ip 3816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4800 -ip 4800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 35860104-96f4-4102-a617-86e15ca307f4.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 15.197.250.192:3478 stun.sipgate.net udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server11.databaseupgrade.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
BG 185.82.216.108:443 server11.databaseupgrade.ru tcp
NL 52.111.243.29:443 tcp
N/A 127.0.0.1:31465 tcp
BG 185.82.216.108:443 server11.databaseupgrade.ru tcp

Files

memory/3816-1-0x0000000003EA0000-0x0000000004299000-memory.dmp

memory/3816-2-0x00000000042A0000-0x0000000004B8B000-memory.dmp

memory/3816-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2492-4-0x0000000074240000-0x00000000749F1000-memory.dmp

memory/2492-5-0x00000000047D0000-0x0000000004806000-memory.dmp

memory/2492-6-0x00000000047C0000-0x00000000047D0000-memory.dmp

memory/2492-7-0x0000000004E40000-0x000000000546A000-memory.dmp

memory/2492-8-0x0000000004C80000-0x0000000004CA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vhhpqu5j.i22.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2492-9-0x0000000005470000-0x00000000054D6000-memory.dmp

memory/2492-15-0x00000000056E0000-0x0000000005746000-memory.dmp

memory/2492-19-0x0000000005840000-0x0000000005B97000-memory.dmp

memory/2492-20-0x0000000005C30000-0x0000000005C4E000-memory.dmp

memory/2492-21-0x0000000005C70000-0x0000000005CBC000-memory.dmp

memory/2492-22-0x0000000006130000-0x0000000006176000-memory.dmp

memory/2492-23-0x000000007F1A0000-0x000000007F1B0000-memory.dmp

memory/2492-24-0x0000000007070000-0x00000000070A4000-memory.dmp

memory/2492-25-0x00000000704B0000-0x00000000704FC000-memory.dmp

memory/2492-26-0x0000000070630000-0x0000000070987000-memory.dmp

memory/2492-35-0x00000000070B0000-0x00000000070CE000-memory.dmp

memory/2492-36-0x00000000070D0000-0x0000000007174000-memory.dmp

memory/2492-37-0x0000000007840000-0x0000000007EBA000-memory.dmp

memory/2492-38-0x0000000007200000-0x000000000721A000-memory.dmp

memory/2492-39-0x0000000007240000-0x000000000724A000-memory.dmp

memory/2492-40-0x0000000074240000-0x00000000749F1000-memory.dmp

memory/4800-43-0x0000000003BA0000-0x0000000003F9A000-memory.dmp

memory/3816-42-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3816-44-0x0000000003EA0000-0x0000000004299000-memory.dmp

memory/3816-45-0x00000000042A0000-0x0000000004B8B000-memory.dmp

memory/4800-46-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/448-48-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

memory/448-47-0x00000000742E0000-0x0000000074A91000-memory.dmp

memory/448-49-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

memory/448-58-0x0000000005A00000-0x0000000005D57000-memory.dmp

memory/448-59-0x0000000006450000-0x000000000649C000-memory.dmp

memory/448-62-0x0000000070810000-0x0000000070B67000-memory.dmp

memory/448-72-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

memory/448-71-0x0000000007100000-0x00000000071A4000-memory.dmp

memory/448-73-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

memory/448-61-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/448-60-0x000000007FBF0000-0x000000007FC00000-memory.dmp

memory/448-74-0x0000000007500000-0x0000000007596000-memory.dmp

memory/448-75-0x0000000007420000-0x0000000007431000-memory.dmp

memory/448-76-0x0000000007460000-0x000000000746E000-memory.dmp

memory/448-77-0x0000000007470000-0x0000000007485000-memory.dmp

memory/448-78-0x00000000074B0000-0x00000000074CA000-memory.dmp

memory/448-79-0x00000000074D0000-0x00000000074D8000-memory.dmp

memory/448-82-0x00000000742E0000-0x0000000074A91000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4644-84-0x00000000742E0000-0x0000000074A91000-memory.dmp

memory/4644-85-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/4644-94-0x0000000004B00000-0x0000000004B10000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d67cc5619471c661372a1578c4f8aae1
SHA1 9c07314078eeb8ff802f07fde6af1ea6bceaa8c9
SHA256 d033ddc1471f37680f8d4d333987f26b2271166116e6d43bb78e47109aeda4bc
SHA512 b888737b556604783792bef5b069985040def268888ca83601258e8825a9c8e47a03da110a86a62d41688aa66f59fc22272d1828c59b994c66dd070206ea335a

memory/4644-96-0x000000007F640000-0x000000007F650000-memory.dmp

memory/4644-97-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/4644-98-0x0000000070810000-0x0000000070B67000-memory.dmp

memory/4644-107-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/4644-109-0x00000000742E0000-0x0000000074A91000-memory.dmp

memory/2744-110-0x00000000742E0000-0x0000000074A91000-memory.dmp

memory/4800-111-0x0000000003BA0000-0x0000000003F9A000-memory.dmp

memory/2744-112-0x0000000003420000-0x0000000003430000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fce8a0b7b3b787b6e14b6469516ef7b6
SHA1 6235f111ccaaf75cf075183375f548be0c3fcaf9
SHA256 0d94a076babb139523b30736e614f28aa4bbec1259634e2501d96bc71dce165c
SHA512 9026eb4ec2122e9f3b87a02b8c57c668cadebe60c092f48145e8da9489af98640f597a427c3ad63c8bbbd9b36f50f14d176dc916366a888cec5f839ff321fa28

memory/2744-123-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/2744-122-0x000000007FC40000-0x000000007FC50000-memory.dmp

memory/2744-124-0x0000000070810000-0x0000000070B67000-memory.dmp

memory/4800-133-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2744-135-0x00000000742E0000-0x0000000074A91000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 bc162161fbbacbb8e9cc0ad7601df247
SHA1 732d1aa81ed81ffb8c64e824d1516ef73ba44183
SHA256 7c0e1377b5a7c386f69b4e20bd83316457c5ba36607bb13016a0b76e782e57c5
SHA512 c73d1fa6958e5c3cbffe21ee527411e12427b76e8e4dee3297dc552bdaecf91a39e1a000d941a0c3fac51f1b60b0217b7dc01494709ecd9d1fd67e37ecb4ea52

memory/3872-142-0x0000000004200000-0x0000000004600000-memory.dmp

memory/4800-141-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3872-143-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e36e81e81915fbe01d9bc6636275a50a
SHA1 340471eaefd201e686cd8582a3839b1b2bb8ed48
SHA256 c3a6bff426e79dd782f6438c0073d35f53593d500159fe2e62c02f2358fae4bf
SHA512 7ea3262b38d7b983d6cc9fdd7a715297ff64ce7d22292834b325f0bd44abef443ed20f0a96525f27abaca698696e13c14ac2ec7bcf1442a1fe7927fa7262bc17

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0924f60adad51c0f727f54f0d258d7ba
SHA1 0c8054a888c17a5bfc70e8ec7181b982f9786884
SHA256 d468906eee939ac250d4f1fb08fe823c7ff95269c963d40a103df6deb4359674
SHA512 5ff71a8612a1831a307eb044c1ad8d6a288758938239cc059150e61398b9df201ff09518f9c9a699ed900fccd125a8fd2ca9ad061e07c4d3514300b211c614f8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cbc77e9df17ddda24d8db8340d89ad41
SHA1 de612a6b1ed8ae3fa6d3ada1f03ec25e7a048f15
SHA256 91995272b220c983d6dd7dbb084e6f086c78420c25931217a115c5b6adecf191
SHA512 50d0913fdd22837ff7c2164c20f54f03fa1f3b13165efee3604ff576c45ab3585df6974ec9f5db5880886d392aec235e2740a788551cc6f14e3f81f6c6ab8000

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3872-237-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/976-245-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3872-246-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2184-247-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3872-248-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3872-250-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2184-251-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3872-252-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3872-254-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3872-256-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2184-257-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3872-258-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3872-260-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3872-262-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3872-264-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3872-266-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3872-268-0x0000000000400000-0x0000000001E08000-memory.dmp