Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-x6f42aah4z
Target 7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb
SHA256 7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb

Threat Level: Known bad

The file 7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:27

Reported

2024-05-09 19:30

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4604 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4604 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4604 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4604 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\system32\cmd.exe
PID 4604 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\system32\cmd.exe
PID 3240 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3240 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4604 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4604 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4604 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4604 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4604 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4604 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4604 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\rss\csrss.exe
PID 4604 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\rss\csrss.exe
PID 4604 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\rss\csrss.exe
PID 3184 wrote to memory of 2776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 2776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 2776 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 3880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 3880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 3880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 3196 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 3196 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 3196 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 4720 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3184 wrote to memory of 4720 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1212 wrote to memory of 1532 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1532 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1532 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1532 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1532 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe

"C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4076,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=1276 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe

"C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BE 2.17.196.145:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 145.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 169.125.209.23.in-addr.arpa udp
US 8.8.8.8:53 85cb5bfd-d392-4e01-af24-556d995457f8.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server16.thestatsfiles.ru udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp

Files

memory/1816-1-0x0000000003340000-0x000000000373A000-memory.dmp

memory/1816-2-0x0000000004FE0000-0x00000000058CB000-memory.dmp

memory/1816-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4116-4-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

memory/4116-5-0x00000000027E0000-0x0000000002816000-memory.dmp

memory/4116-6-0x0000000004FD0000-0x00000000055F8000-memory.dmp

memory/4116-7-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4116-8-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4116-9-0x0000000004E10000-0x0000000004E32000-memory.dmp

memory/4116-10-0x0000000004EB0000-0x0000000004F16000-memory.dmp

memory/4116-11-0x00000000056B0000-0x0000000005716000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tmavf4yo.345.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4116-21-0x0000000005820000-0x0000000005B74000-memory.dmp

memory/4116-22-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

memory/4116-23-0x0000000005E10000-0x0000000005E5C000-memory.dmp

memory/4116-24-0x00000000061F0000-0x0000000006234000-memory.dmp

memory/4116-25-0x00000000070F0000-0x0000000007166000-memory.dmp

memory/4116-26-0x00000000077F0000-0x0000000007E6A000-memory.dmp

memory/4116-27-0x0000000007190000-0x00000000071AA000-memory.dmp

memory/4116-29-0x0000000007350000-0x0000000007382000-memory.dmp

memory/4116-30-0x0000000070960000-0x00000000709AC000-memory.dmp

memory/4116-41-0x0000000007390000-0x00000000073AE000-memory.dmp

memory/4116-31-0x0000000070D60000-0x00000000710B4000-memory.dmp

memory/4116-42-0x00000000073B0000-0x0000000007453000-memory.dmp

memory/4116-43-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4116-44-0x00000000074A0000-0x00000000074AA000-memory.dmp

memory/4116-45-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/1816-28-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4116-46-0x0000000007560000-0x00000000075F6000-memory.dmp

memory/4116-47-0x00000000074C0000-0x00000000074D1000-memory.dmp

memory/4116-48-0x0000000007500000-0x000000000750E000-memory.dmp

memory/4116-49-0x0000000007510000-0x0000000007524000-memory.dmp

memory/4116-50-0x0000000007600000-0x000000000761A000-memory.dmp

memory/4116-51-0x0000000007540000-0x0000000007548000-memory.dmp

memory/4116-54-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/1816-56-0x0000000003340000-0x000000000373A000-memory.dmp

memory/1816-57-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1816-58-0x0000000004FE0000-0x00000000058CB000-memory.dmp

memory/2756-68-0x0000000005A10000-0x0000000005D64000-memory.dmp

memory/2756-70-0x0000000070AE0000-0x0000000070E34000-memory.dmp

memory/2756-69-0x0000000070960000-0x00000000709AC000-memory.dmp

memory/2756-80-0x0000000007170000-0x0000000007213000-memory.dmp

memory/2756-81-0x0000000007490000-0x00000000074A1000-memory.dmp

memory/1816-83-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4604-82-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2756-84-0x00000000074E0000-0x00000000074F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2160-94-0x0000000006040000-0x0000000006394000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e26be66f5b436e3bcfe6f90bfaabb4d4
SHA1 37c4d3bd2c2c4551d6a2cb742482b270251e2daf
SHA256 6fee13c96d24613a6b8f8a3ba9ef2300dbd2c1b3179d13e3e2de7b103906778f
SHA512 76b426ade50bee480a477fe345fd09127de46b690a73d2122714e98127db94824bb19c62e670d5d8a0c53cfd57ce6d0a4bb14bdd44ba183716dce11fbd598295

memory/2160-99-0x0000000070960000-0x00000000709AC000-memory.dmp

memory/2160-100-0x0000000070F30000-0x0000000071284000-memory.dmp

memory/4192-111-0x0000000005FC0000-0x0000000006314000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8dd36c5f7a20a8dd322ab60e6888217a
SHA1 967db5c20e79621439c3950199ce699777fdbfc7
SHA256 6359230fd723b6f250a01fcacbd1735a7dd7db6adaa1db0494c6b1c5825a0e3d
SHA512 05913a127d9f76a81f520ba6459574484eae6dac0aabe15f78793ae96c0650c023c2e467cf4276fc705939b44541b016dd07b526edf672532a763f0628f15014

memory/4192-122-0x0000000070960000-0x00000000709AC000-memory.dmp

memory/4192-123-0x00000000710E0000-0x0000000071434000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 cb2545e9859ef4bbf897ac0887a0ce31
SHA1 440e5d9cece3cc3b97818627123ab4f8cb0a67aa
SHA256 7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb
SHA512 c00317b099178369f852d0a6dcee11bcfb70736f53cc0191c07f9b88bcba3cec9ffe1da614641e72f9a8680a1577b1e3072aed834f64dcee2007332c0b6b1de5

memory/4604-137-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 06ed54b631b7134985af91d1f79ba472
SHA1 e1363138bb55d7ad8f5935d5263610d2934a9596
SHA256 8d1dcc35fef06126a6ae95f204f6596794bc91d6b36b1f1e95b44c8596b03862
SHA512 4531496782a84ad425314172dd382302e55602349084b20848ec047ea8de680db28644ced69567b13b830be5a6e92ea1a0a8923a4eb030c63ca4dddc90a32863

memory/2776-150-0x00000000056B0000-0x0000000005A04000-memory.dmp

memory/2776-153-0x00000000716F0000-0x0000000071A44000-memory.dmp

memory/2776-152-0x0000000070960000-0x00000000709AC000-memory.dmp

memory/3880-176-0x00000000057F0000-0x0000000005B44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 18153c8cfc1ff71172c892d394376d78
SHA1 c530eea9a155ff203f1113a8ed15f365c1099f8f
SHA256 7610f8bd12b59f9fca3d6e8aa09058fdb33b7a416bcdb9e285b3398ec221fb85
SHA512 4c35ba35082e589b24cf216f02bca4e3069f1db213c76d92a40e69fce2c37a6edbe37691eab085c97ecd72fedfa259012957f5400642809668dfa78aac72d47e

memory/3184-165-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3880-177-0x00000000061B0000-0x00000000061FC000-memory.dmp

memory/3880-179-0x0000000070A00000-0x0000000070D54000-memory.dmp

memory/3880-189-0x0000000006E70000-0x0000000006F13000-memory.dmp

memory/3880-178-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/3880-190-0x00000000071B0000-0x00000000071C1000-memory.dmp

memory/3880-191-0x00000000054D0000-0x00000000054E4000-memory.dmp

memory/3196-199-0x00000000056D0000-0x0000000005A24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ebe47bfec7518d194cc1b21aad829bb4
SHA1 262c7365a50b77fe33b5163d55a3f4c955a83f32
SHA256 adc13288cc94b34ad23801e142ca07d822bc6b26b34907a4a7ee8c0f9ec58cd7
SHA512 9af47cff504b37d9d86005e0340a9e4b3e2858d15450f819cbaa87c60b1d76ac8727ca14792f0fd7dd7a66a56dc6391bae69cdbad204ae9db14dd3327dc15568

memory/3196-205-0x0000000070A10000-0x0000000070D64000-memory.dmp

memory/3196-204-0x0000000070880000-0x00000000708CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3184-222-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1212-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1212-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3184-232-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3972-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3184-235-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3184-238-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3972-239-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3184-241-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3184-244-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3184-247-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3184-250-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3184-253-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3184-256-0x0000000000400000-0x0000000002ED5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:27

Reported

2024-05-09 19:30

Platform

win11-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\system32\cmd.exe
PID 1112 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\system32\cmd.exe
PID 2548 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2548 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1112 wrote to memory of 256 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 256 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 256 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\rss\csrss.exe
PID 1112 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\rss\csrss.exe
PID 1112 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe C:\Windows\rss\csrss.exe
PID 3212 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 4684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 4048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 4048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 4048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 3104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 3104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 3104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 2680 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3212 wrote to memory of 2680 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4936 wrote to memory of 2916 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 2916 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 2916 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 4068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2916 wrote to memory of 4068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2916 wrote to memory of 4068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe

"C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe

"C:\Users\Admin\AppData\Local\Temp\7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 355e19d8-f9b2-4065-8104-1479808108be.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 server3.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp
US 3.33.249.248:3478 stun.sipgate.net udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp

Files

memory/3928-1-0x0000000003330000-0x000000000372F000-memory.dmp

memory/3928-2-0x00000000050D0000-0x00000000059BB000-memory.dmp

memory/3928-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4672-4-0x000000007448E000-0x000000007448F000-memory.dmp

memory/4672-5-0x0000000002220000-0x0000000002256000-memory.dmp

memory/4672-6-0x0000000004CD0000-0x00000000052FA000-memory.dmp

memory/4672-7-0x0000000074480000-0x0000000074C31000-memory.dmp

memory/4672-8-0x0000000074480000-0x0000000074C31000-memory.dmp

memory/4672-9-0x0000000004B70000-0x0000000004B92000-memory.dmp

memory/4672-10-0x0000000004C10000-0x0000000004C76000-memory.dmp

memory/4672-11-0x0000000005370000-0x00000000053D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0hu4o4ej.00w.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4672-20-0x0000000005520000-0x0000000005877000-memory.dmp

memory/4672-21-0x0000000005A20000-0x0000000005A3E000-memory.dmp

memory/4672-22-0x0000000005A70000-0x0000000005ABC000-memory.dmp

memory/4672-23-0x0000000006A00000-0x0000000006A46000-memory.dmp

memory/4672-24-0x0000000006E50000-0x0000000006E84000-memory.dmp

memory/4672-25-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/4672-26-0x0000000070880000-0x0000000070BD7000-memory.dmp

memory/4672-36-0x0000000006EB0000-0x0000000006F54000-memory.dmp

memory/4672-35-0x0000000006E90000-0x0000000006EAE000-memory.dmp

memory/4672-37-0x0000000007620000-0x0000000007C9A000-memory.dmp

memory/4672-38-0x0000000006FE0000-0x0000000006FFA000-memory.dmp

memory/4672-39-0x0000000007020000-0x000000000702A000-memory.dmp

memory/4672-40-0x0000000007130000-0x00000000071C6000-memory.dmp

memory/4672-42-0x0000000007040000-0x0000000007051000-memory.dmp

memory/3928-41-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4672-43-0x0000000007090000-0x000000000709E000-memory.dmp

memory/4672-44-0x00000000070A0000-0x00000000070B5000-memory.dmp

memory/4672-45-0x00000000070F0000-0x000000000710A000-memory.dmp

memory/4672-46-0x0000000007110000-0x0000000007118000-memory.dmp

memory/4672-49-0x0000000074480000-0x0000000074C31000-memory.dmp

memory/3928-52-0x0000000003330000-0x000000000372F000-memory.dmp

memory/3928-53-0x00000000050D0000-0x00000000059BB000-memory.dmp

memory/3928-51-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3576-62-0x0000000005AF0000-0x0000000005E47000-memory.dmp

memory/3576-64-0x0000000070870000-0x0000000070BC7000-memory.dmp

memory/3576-63-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/3576-73-0x0000000007140000-0x00000000071E4000-memory.dmp

memory/3576-74-0x0000000007460000-0x0000000007471000-memory.dmp

memory/3576-75-0x00000000074B0000-0x00000000074C5000-memory.dmp

memory/1112-78-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/256-80-0x00000000055A0000-0x00000000058F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ea8c0362bfd91709416c9cd1a95f8b76
SHA1 80bc2a099a29935feeb44fe11971e7c5b357f50a
SHA256 cc96e15c0979d1860a76fedd9c98184b9af8213f2c59de658e62d18a822b2872
SHA512 23aae86f7e01d9582d9125528261c64c0ca2f0e5947cbef2cd3928dec37c569ab6cfb1c79e32fdda31ce14f869fc0e7bc769d34cf00ffc5f25c3caa4d30c91a6

memory/256-90-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/256-91-0x0000000070940000-0x0000000070C97000-memory.dmp

memory/3928-100-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c666a74067b63330f20b64254cc3fc9f
SHA1 374939438be995e8d540868c985aa55124ff69f7
SHA256 e802399ad0e2356c8c4529fcff749906863753724f0013413783b3af43304c59
SHA512 617bfb99c98685a53a4e0b9a3dc3db41dcb437fcfc83fb449faa5453302bc8730d09be2dd0a9d8587843c49e2a83c3cf31a29da49e54f2548e3af66813befe6b

memory/2684-111-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/2684-112-0x0000000070940000-0x0000000070C97000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 cb2545e9859ef4bbf897ac0887a0ce31
SHA1 440e5d9cece3cc3b97818627123ab4f8cb0a67aa
SHA256 7bfe0976d90fdfd1032099006ba346eced04e30a48af5aaf3c66821bb34f55eb
SHA512 c00317b099178369f852d0a6dcee11bcfb70736f53cc0191c07f9b88bcba3cec9ffe1da614641e72f9a8680a1577b1e3072aed834f64dcee2007332c0b6b1de5

memory/1112-128-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a6922b5b6b0706695a052e1513fe6474
SHA1 562069184fec86454d9ebe63c67882cc3f5fb316
SHA256 2ce26898e8873ae7074a2858cc59f812227404a6926fed7cc6ddde225b8c44db
SHA512 90ac96d074ba2b4081130e53e2e3f9c237a8ffd79b6597f0aae319b86d836fb7869301b67de4d88022570204fa164f3753646f5dc2c723ff443876755c9aad9d

memory/4684-139-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/4684-140-0x0000000070870000-0x0000000070BC7000-memory.dmp

memory/4048-159-0x00000000062D0000-0x0000000006627000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d5f7004948a1ff1b96da35183d7d427e
SHA1 234f361bf0eda32ce7fe8dae4a353f3e4b0a9557
SHA256 bfd3226006012ecbd35a09a9cda6ead0594a46aa0c208ec68981e944f850e07c
SHA512 e2e35787793ea53ce5c21d670ff91282f8e1e902c36830bc17462204e633eb30708fd9e42ea5f90688ef5007fdb2bb44a46242b65c3e41c66b2c5d825bc130ee

memory/4048-161-0x0000000006E20000-0x0000000006E6C000-memory.dmp

memory/4048-162-0x0000000070610000-0x000000007065C000-memory.dmp

memory/4048-163-0x0000000070860000-0x0000000070BB7000-memory.dmp

memory/4048-172-0x0000000007B20000-0x0000000007BC4000-memory.dmp

memory/4048-173-0x0000000006690000-0x00000000066A1000-memory.dmp

memory/4048-174-0x00000000066D0000-0x00000000066E5000-memory.dmp

memory/3104-184-0x0000000005F40000-0x0000000006297000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 82357cbc0c3df7445827048b567e2151
SHA1 3bbf778a2494e22dfa7239623a3b37a0596d8f62
SHA256 09ff7168daddfcc86fe64a320582dd92d51ff7ca210738261c0a94af34d8fb16
SHA512 1c5ee0e98eacb4fbeb039ba6f69a35675c0cb1372da78b4d13e969b37142d41a36eccfce4191a3d47dca1a283140020dc788777912a1f18b62fc6637cb1f1e76

memory/3104-187-0x0000000070790000-0x0000000070AE7000-memory.dmp

memory/3104-186-0x0000000070610000-0x000000007065C000-memory.dmp

memory/3212-197-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4936-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3212-206-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2480-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4936-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3212-218-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2480-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3212-222-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3212-226-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2480-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3212-230-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3212-234-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3212-238-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3212-242-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3212-246-0x0000000000400000-0x0000000002ED5000-memory.dmp