Malware Analysis Report

2025-01-02 06:26

Sample ID 240516-ssvcaaba98
Target 7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed
SHA256 7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed

Threat Level: Known bad

The file 7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:23

Reported

2024-05-16 15:26

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 784 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 784 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 784 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 784 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\system32\cmd.exe
PID 784 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\system32\cmd.exe
PID 4740 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4740 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 784 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 784 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 784 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 784 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 784 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 784 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 784 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\rss\csrss.exe
PID 784 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\rss\csrss.exe
PID 784 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\rss\csrss.exe
PID 1680 wrote to memory of 3620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 3620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 3620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 3896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 3896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 3896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 4916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 4916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 4916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 4680 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1680 wrote to memory of 4680 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4376 wrote to memory of 488 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 488 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 488 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 488 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 488 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe

"C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe

"C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 23.62.61.154:443 www.bing.com tcp
US 8.8.8.8:53 154.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 458ed034-3e0f-4b59-9822-d8aec21ceb96.uuid.realupdate.ru udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server13.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.96:443 server13.realupdate.ru tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
BG 185.82.216.96:443 server13.realupdate.ru tcp
US 8.8.8.8:53 stun3.l.google.com udp
US 74.125.250.129:19302 stun3.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BG 185.82.216.96:443 server13.realupdate.ru tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.96:443 server13.realupdate.ru tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/1576-1-0x0000000002960000-0x0000000002D59000-memory.dmp

memory/1576-2-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/1576-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/552-4-0x000000007428E000-0x000000007428F000-memory.dmp

memory/552-5-0x00000000052B0000-0x00000000052E6000-memory.dmp

memory/552-6-0x0000000005960000-0x0000000005F88000-memory.dmp

memory/552-7-0x0000000074280000-0x0000000074A30000-memory.dmp

memory/552-8-0x0000000074280000-0x0000000074A30000-memory.dmp

memory/552-9-0x00000000058F0000-0x0000000005912000-memory.dmp

memory/552-10-0x0000000006140000-0x00000000061A6000-memory.dmp

memory/552-11-0x0000000006260000-0x00000000062C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_04ysfrzv.e1p.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/552-17-0x00000000062D0000-0x0000000006624000-memory.dmp

memory/552-22-0x0000000006890000-0x00000000068AE000-memory.dmp

memory/552-23-0x00000000068C0000-0x000000000690C000-memory.dmp

memory/552-24-0x0000000006DD0000-0x0000000006E14000-memory.dmp

memory/552-25-0x0000000007C10000-0x0000000007C86000-memory.dmp

memory/552-26-0x0000000008310000-0x000000000898A000-memory.dmp

memory/552-27-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

memory/552-30-0x0000000074280000-0x0000000074A30000-memory.dmp

memory/552-29-0x0000000070120000-0x000000007016C000-memory.dmp

memory/552-31-0x00000000708C0000-0x0000000070C14000-memory.dmp

memory/552-41-0x0000000007E50000-0x0000000007E6E000-memory.dmp

memory/552-28-0x0000000007E10000-0x0000000007E42000-memory.dmp

memory/552-42-0x0000000007E70000-0x0000000007F13000-memory.dmp

memory/552-43-0x0000000074280000-0x0000000074A30000-memory.dmp

memory/552-44-0x0000000007F60000-0x0000000007F6A000-memory.dmp

memory/552-45-0x0000000008020000-0x00000000080B6000-memory.dmp

memory/552-46-0x0000000007F80000-0x0000000007F91000-memory.dmp

memory/552-47-0x0000000007FC0000-0x0000000007FCE000-memory.dmp

memory/552-48-0x0000000007FD0000-0x0000000007FE4000-memory.dmp

memory/552-49-0x00000000080C0000-0x00000000080DA000-memory.dmp

memory/552-50-0x0000000008000000-0x0000000008008000-memory.dmp

memory/552-53-0x0000000074280000-0x0000000074A30000-memory.dmp

memory/784-55-0x0000000002930000-0x0000000002D2C000-memory.dmp

memory/4504-65-0x00000000056B0000-0x0000000005A04000-memory.dmp

memory/4504-66-0x0000000070120000-0x000000007016C000-memory.dmp

memory/4504-67-0x00000000702A0000-0x00000000705F4000-memory.dmp

memory/4504-77-0x0000000006CE0000-0x0000000006D83000-memory.dmp

memory/4504-78-0x0000000007030000-0x0000000007041000-memory.dmp

memory/4504-79-0x0000000007080000-0x0000000007094000-memory.dmp

memory/1576-80-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9b7531290a61df65b16e4690ab69bf14
SHA1 b2770afe5f0c1bbe3bead501eec6b67f14bf88fb
SHA256 01ee71df6b3294c7e3c3be8be96db31d0d4092e94e50c73b533f9d9d1a5d9f1a
SHA512 4e07df0db3c81b95c40b8303efe4f87b6e4fa10a12c7c179a42a1cd7393908eff793793461c87faa9401f3dfc613d2d9ccf988ee1c394de5dd67be4f53d39121

memory/1724-94-0x0000000070120000-0x000000007016C000-memory.dmp

memory/1724-95-0x00000000702A0000-0x00000000705F4000-memory.dmp

memory/1576-105-0x0000000002960000-0x0000000002D59000-memory.dmp

memory/1576-106-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/1508-113-0x0000000005EE0000-0x0000000006234000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cfa69124a31ab8c4d4a34b3c63cff518
SHA1 a48e59f5104c12b163e7a82d498d561e7030e78a
SHA256 c53e03f8c9b1514e85484a2da1821272a4c4811e03241d66c30fc84ce63260d2
SHA512 db884ec2d6d18e69cfd6890a0bac7c19277987d1595dfa2449f2bfd3af2ccd2ba64e5235f00fc003d4ad1e618d12c2360c6cee2611303a8fe0649a6184a9a322

memory/1508-119-0x0000000070120000-0x000000007016C000-memory.dmp

memory/1508-120-0x0000000070B20000-0x0000000070E74000-memory.dmp

memory/784-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1e1a3a525de8a7c9a20b1196b0f8264e
SHA1 6c0bf1c39ac0dbf168f7202999ca7d2630e6dd25
SHA256 7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed
SHA512 1404f0bd3b9a3c1abe4799cf8b6d9428e1a182eaee80642cb63347a246a36befd4b5e5fcfbf1a46f5d8bb16b9401b7a6faec7735cb865f3104f8a17a16fd35a4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3dde7a1615f9eae1173b5a0ed21f1da8
SHA1 b8cb7ea6021068296342a2cc7673d3b2b4d7bbb1
SHA256 029148babc0c92cd588653b22f14f983f79eab1a2b0ae29b10aac3725f7974f3
SHA512 40e9a735165cd4e34868b2314140cd366de42ddd127eea10bde80a276bade8becda1861b5f6ff6c2000318a30db94e8464596f1ff3236d0bf689d58721d6a7c7

memory/3620-148-0x00000000702A0000-0x00000000705F4000-memory.dmp

memory/3620-147-0x0000000070120000-0x000000007016C000-memory.dmp

memory/3896-169-0x0000000005B20000-0x0000000005E74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 19bb8d73ab5f27ce20e687eb52928953
SHA1 605a57911619e86cf8ac05783196631d5deef549
SHA256 262204153b0a7f704365ccb733c331d5177b84330b6f02d7b04ca33ef2a54043
SHA512 adeea37f6b111eb1819a9a11784e668f8f1fe19979bb579f1fb96ba9fa2951dcb84c49005aa92a78d57827c13e4c600b14e848e893b90d964500558ece8dbfcf

memory/3896-171-0x0000000006680000-0x00000000066CC000-memory.dmp

memory/3896-172-0x0000000070040000-0x000000007008C000-memory.dmp

memory/3896-173-0x00000000701D0000-0x0000000070524000-memory.dmp

memory/3896-183-0x00000000072E0000-0x0000000007383000-memory.dmp

memory/3896-184-0x0000000007660000-0x0000000007671000-memory.dmp

memory/3896-185-0x0000000005EA0000-0x0000000005EB4000-memory.dmp

memory/4916-196-0x0000000005600000-0x0000000005954000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0b7d3441bfa7a431d3cdeec0ab16bfc6
SHA1 238cda0c196eb3d90a6fb8f77b91310fe26a107d
SHA256 10520cff4809d7c521a3d071fbdd69f133bfbfcae35837270c06210c191885c6
SHA512 e5fa44dc472cf90ac398c8258cd17b787eb163b0cbb29e4b722683571543cdabf0686d70fb9753bf820dbbc7a8affcbe716205802e7d5ab0d72253149b286465

memory/4916-198-0x0000000070040000-0x000000007008C000-memory.dmp

memory/4916-199-0x00000000701C0000-0x0000000070514000-memory.dmp

memory/784-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1680-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/784-218-0x0000000002930000-0x0000000002D2C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4376-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1680-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1800-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4376-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1680-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1800-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1680-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1680-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1800-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1680-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1680-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1680-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1680-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1680-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1680-264-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1680-269-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:23

Reported

2024-05-16 15:26

Platform

win11-20240426-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4520 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\system32\cmd.exe
PID 4644 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4644 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\rss\csrss.exe
PID 4644 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\rss\csrss.exe
PID 4644 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe C:\Windows\rss\csrss.exe
PID 2440 wrote to memory of 1684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 1684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 1684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 3108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 3108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 3108 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 3556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 3556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 3556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2948 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2440 wrote to memory of 2948 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4936 wrote to memory of 4416 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 4416 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 4416 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 3356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4416 wrote to memory of 3356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4416 wrote to memory of 3356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe

"C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe

"C:\Users\Admin\AppData\Local\Temp\7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2348e55d-dfb8-4775-a421-bf885ae6fc9b.uuid.realupdate.ru udp
US 8.8.8.8:53 server4.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server4.realupdate.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server4.realupdate.ru tcp
BG 185.82.216.96:443 server4.realupdate.ru tcp
N/A 127.0.0.1:31465 tcp
BG 185.82.216.96:443 server4.realupdate.ru tcp

Files

memory/4520-1-0x0000000002A20000-0x0000000002E20000-memory.dmp

memory/4520-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/4520-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2380-4-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

memory/2380-5-0x0000000002840000-0x0000000002876000-memory.dmp

memory/2380-6-0x0000000074D40000-0x00000000754F1000-memory.dmp

memory/2380-7-0x0000000005090000-0x00000000056BA000-memory.dmp

memory/2380-8-0x0000000074D40000-0x00000000754F1000-memory.dmp

memory/2380-10-0x0000000005770000-0x00000000057D6000-memory.dmp

memory/2380-11-0x00000000057E0000-0x0000000005846000-memory.dmp

memory/2380-9-0x0000000004F70000-0x0000000004F92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cgqgbb1f.vhl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2380-20-0x0000000005850000-0x0000000005BA7000-memory.dmp

memory/2380-21-0x0000000005D10000-0x0000000005D2E000-memory.dmp

memory/2380-22-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

memory/2380-23-0x00000000060C0000-0x0000000006106000-memory.dmp

memory/2380-24-0x0000000007140000-0x0000000007174000-memory.dmp

memory/2380-26-0x0000000074D40000-0x00000000754F1000-memory.dmp

memory/2380-36-0x0000000007180000-0x000000000719E000-memory.dmp

memory/2380-37-0x00000000071A0000-0x0000000007244000-memory.dmp

memory/2380-27-0x00000000711A0000-0x00000000714F7000-memory.dmp

memory/2380-25-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

memory/2380-38-0x0000000074D40000-0x00000000754F1000-memory.dmp

memory/2380-40-0x00000000072C0000-0x00000000072DA000-memory.dmp

memory/2380-39-0x0000000007910000-0x0000000007F8A000-memory.dmp

memory/2380-41-0x0000000007300000-0x000000000730A000-memory.dmp

memory/2380-42-0x00000000073C0000-0x0000000007456000-memory.dmp

memory/2380-43-0x0000000007330000-0x0000000007341000-memory.dmp

memory/2380-44-0x0000000007370000-0x000000000737E000-memory.dmp

memory/2380-45-0x0000000007380000-0x0000000007395000-memory.dmp

memory/2380-46-0x0000000007480000-0x000000000749A000-memory.dmp

memory/2380-47-0x0000000007460000-0x0000000007468000-memory.dmp

memory/2380-50-0x0000000074D40000-0x00000000754F1000-memory.dmp

memory/4644-52-0x0000000002A20000-0x0000000002E1D000-memory.dmp

memory/2144-61-0x0000000005460000-0x00000000057B7000-memory.dmp

memory/2144-62-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

memory/2144-63-0x00000000711C0000-0x0000000071517000-memory.dmp

memory/2144-72-0x0000000006C10000-0x0000000006CB4000-memory.dmp

memory/2144-73-0x0000000006F40000-0x0000000006F51000-memory.dmp

memory/2144-74-0x0000000006F90000-0x0000000006FA5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4584-86-0x0000000005640000-0x0000000005997000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3b7df3aea4ba420a7b0b503d643fbc24
SHA1 0a55743b90e3bcba165a083b4610f16513baeffc
SHA256 cd0dda66ffc3d5f4bb788077d495101f1fd069af8f9fbff511dd99c6aa7d4280
SHA512 d484bb00967cdaafadb002d36f08492cba4692f9d4aaebf9e3f03c936ee5067e11880d5e5a71afb31c9ca598465f574ddfc3110f1139f74fb09dbb4dca1177e3

memory/4584-89-0x0000000071130000-0x0000000071487000-memory.dmp

memory/4584-88-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 29bce150be481b7b2dd8eb0900f2dd3d
SHA1 b0183a28186dff69b1e921c347bf8f8799c4c647
SHA256 fc18a0e5d98e608cbe3acc69abd473b340571a7b3b77ebbfd9310d8bb03d5d2d
SHA512 25d5ddeadf7cbdf283cf7ce4c28eb21bcbd6c8b008a5fba535f6025d3c8fd325c2dd8e2837febab5ad5dffed699ab9a11fe6a5f585c4d23fac2a352a066271e5

memory/4744-108-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

memory/4744-109-0x00000000711C0000-0x0000000071517000-memory.dmp

memory/4520-118-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4520-119-0x0000000002A20000-0x0000000002E20000-memory.dmp

memory/4520-120-0x0000000002E20000-0x000000000370B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1e1a3a525de8a7c9a20b1196b0f8264e
SHA1 6c0bf1c39ac0dbf168f7202999ca7d2630e6dd25
SHA256 7f0a722aca85a97a408fff33bdc3ae92e284a04bfebe55b03dd6c25af6ce67ed
SHA512 1404f0bd3b9a3c1abe4799cf8b6d9428e1a182eaee80642cb63347a246a36befd4b5e5fcfbf1a46f5d8bb16b9401b7a6faec7735cb865f3104f8a17a16fd35a4

memory/4644-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1684-128-0x00000000058D0000-0x0000000005C27000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b80e2efe0e3f4a8eb69372b71ff5fb10
SHA1 4b586ee0cc00e9e7f29b1653903a012194a032cd
SHA256 7abc7cead8ba5a5544dd4f3bea6245f91fa0b5106568dc44ccfd59711d9113f2
SHA512 e937f990f2c044319d2eb574b022c0fb0d0868598f5a9218c21b9c9fe7458aef5340c3f24043315c6cd1936f6e8ac946e501ca7dedc14591b8d96323da5149e6

memory/1684-139-0x0000000071200000-0x0000000071557000-memory.dmp

memory/1684-138-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

memory/3108-157-0x00000000057E0000-0x0000000005B37000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 716494f46f697b5aa737dd373ebbddc8
SHA1 ebe91dfe91ca98df20ba616819a85acf1630cf6f
SHA256 3b6985932cd054d2e8ab5ead6c5ecd3bdf1342343e1d020243e693887b841617
SHA512 ef3211a84202912ddefa4e34728f4f82817f13ee25299f2e5a5ddf697411db274e3c9f5641f670af666c3f3e35ab84afcfb9555fdd60ab73529b46cc8154e771

memory/3108-159-0x0000000005FF0000-0x000000000603C000-memory.dmp

memory/3108-160-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

memory/3108-161-0x0000000071820000-0x0000000071B77000-memory.dmp

memory/3108-170-0x0000000006F80000-0x0000000007024000-memory.dmp

memory/3108-171-0x00000000072F0000-0x0000000007301000-memory.dmp

memory/3108-172-0x0000000005190000-0x00000000051A5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 626709ef21d0e0f920e90a992937574c
SHA1 de6c989dc69345da8306669bd9057d26b3da2e3b
SHA256 ce3263ab271b91e17ce97a84f661dbaf6a7845121f5e2d2ad7c4c1c50b5540e2
SHA512 7f26e40655b7ce85886994cd80a945dc49a0918f9e704fc8faf98ae51c5ccdb0717f7fd884fc4f74756b1106a5669918d253b38d3d62b69d63e65da2d78cf9c6

memory/3556-182-0x0000000005CB0000-0x0000000006007000-memory.dmp

memory/3556-184-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

memory/3556-185-0x0000000071050000-0x00000000713A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2440-201-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4936-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/400-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4936-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2440-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/400-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2440-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2440-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/400-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2440-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2440-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2440-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2440-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2440-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2440-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2440-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2440-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2440-245-0x0000000000400000-0x0000000000D1C000-memory.dmp