Malware Analysis Report

2025-08-10 17:22

Sample ID 240417-s5zsjaec96
Target bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6
SHA256 bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6

Threat Level: Known bad

The file bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 15:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 15:43

Reported

2024-04-17 15:45

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\system32\cmd.exe
PID 1140 wrote to memory of 4008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1140 wrote to memory of 4008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2140 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\rss\csrss.exe
PID 2140 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\rss\csrss.exe
PID 2140 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\rss\csrss.exe
PID 336 wrote to memory of 5052 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 336 wrote to memory of 5052 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 336 wrote to memory of 5052 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 336 wrote to memory of 3996 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 336 wrote to memory of 3996 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 336 wrote to memory of 3996 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 336 wrote to memory of 5048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 336 wrote to memory of 5048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 336 wrote to memory of 5048 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 336 wrote to memory of 452 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 336 wrote to memory of 452 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4768 wrote to memory of 4704 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 4704 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 4704 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4704 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4704 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe

"C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe

"C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 27053999-04ae-41d8-b4d3-bbaf2028a165.uuid.allstatsin.ru udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server15.allstatsin.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
BG 185.82.216.104:443 server15.allstatsin.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.104:443 server15.allstatsin.ru tcp
US 8.8.8.8:53 stun.l.google.com udp
US 74.125.250.129:19302 stun.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 185.82.216.104:443 server15.allstatsin.ru tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/1852-1-0x0000000004E60000-0x0000000005263000-memory.dmp

memory/1852-2-0x0000000005270000-0x0000000005B5B000-memory.dmp

memory/1852-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3028-4-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/3028-5-0x0000000002670000-0x0000000002680000-memory.dmp

memory/3028-6-0x00000000025D0000-0x0000000002606000-memory.dmp

memory/3028-7-0x0000000004CC0000-0x00000000052E8000-memory.dmp

memory/3028-8-0x0000000004BE0000-0x0000000004C02000-memory.dmp

memory/3028-9-0x00000000052F0000-0x0000000005356000-memory.dmp

memory/3028-10-0x0000000005360000-0x00000000053C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2jrlmvrw.szb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3028-20-0x00000000055A0000-0x00000000058F4000-memory.dmp

memory/3028-21-0x0000000004920000-0x000000000493E000-memory.dmp

memory/3028-22-0x0000000005C70000-0x0000000005CBC000-memory.dmp

memory/3028-23-0x0000000006170000-0x00000000061B4000-memory.dmp

memory/1852-24-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3028-25-0x0000000002670000-0x0000000002680000-memory.dmp

memory/3028-26-0x0000000006E80000-0x0000000006EF6000-memory.dmp

memory/3028-27-0x00000000075F0000-0x0000000007C6A000-memory.dmp

memory/3028-28-0x0000000006FA0000-0x0000000006FBA000-memory.dmp

memory/1852-29-0x0000000004E60000-0x0000000005263000-memory.dmp

memory/3028-31-0x000000007F3A0000-0x000000007F3B0000-memory.dmp

memory/3028-30-0x0000000007160000-0x0000000007192000-memory.dmp

memory/3028-32-0x0000000070880000-0x00000000708CC000-memory.dmp

memory/3028-33-0x0000000070A10000-0x0000000070D64000-memory.dmp

memory/3028-43-0x0000000007140000-0x000000000715E000-memory.dmp

memory/3028-44-0x00000000071A0000-0x0000000007243000-memory.dmp

memory/3028-45-0x00000000072B0000-0x00000000072BA000-memory.dmp

memory/3028-46-0x0000000007370000-0x0000000007406000-memory.dmp

memory/3028-47-0x00000000072D0000-0x00000000072E1000-memory.dmp

memory/3028-48-0x0000000007310000-0x000000000731E000-memory.dmp

memory/3028-49-0x0000000007320000-0x0000000007334000-memory.dmp

memory/3028-50-0x0000000007410000-0x000000000742A000-memory.dmp

memory/3028-51-0x0000000007360000-0x0000000007368000-memory.dmp

memory/3028-54-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/1852-55-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1852-56-0x0000000005270000-0x0000000005B5B000-memory.dmp

memory/2140-58-0x0000000004D30000-0x0000000005132000-memory.dmp

memory/2140-59-0x0000000005140000-0x0000000005A2B000-memory.dmp

memory/2140-60-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1492-61-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/1492-62-0x0000000003220000-0x0000000003230000-memory.dmp

memory/1492-72-0x0000000006460000-0x00000000067B4000-memory.dmp

memory/1492-73-0x0000000006D80000-0x0000000006DCC000-memory.dmp

memory/1492-74-0x0000000003220000-0x0000000003230000-memory.dmp

memory/1492-75-0x0000000070980000-0x00000000709CC000-memory.dmp

memory/1492-76-0x0000000070B00000-0x0000000070E54000-memory.dmp

memory/1492-86-0x0000000007A80000-0x0000000007B23000-memory.dmp

memory/1492-87-0x0000000007D90000-0x0000000007DA1000-memory.dmp

memory/1492-88-0x0000000007DE0000-0x0000000007DF4000-memory.dmp

memory/2140-89-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1492-92-0x0000000074A80000-0x0000000075230000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2196-94-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/2196-95-0x0000000002C30000-0x0000000002C40000-memory.dmp

memory/2196-96-0x0000000002C30000-0x0000000002C40000-memory.dmp

memory/2196-106-0x0000000005B50000-0x0000000005EA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bb726147145b514b2884afb2e875ebc3
SHA1 2799d447503b3b1da87e525a7aa1601f8741c07f
SHA256 a49a8891b0f533ef8690aa7d46a22a786d6355ce675af3ec2ebf3ffb7b93d347
SHA512 544080110f5d0165db443a1d22ddd982aadbe83c93cda8e6c6b1f1708e5afbdc67e6d5f475f3ee02dbf555b412aea3098a5e37e566f55b5ea4b761d10daef794

memory/2140-108-0x0000000004D30000-0x0000000005132000-memory.dmp

memory/2196-109-0x0000000002C30000-0x0000000002C40000-memory.dmp

memory/2196-110-0x0000000070980000-0x00000000709CC000-memory.dmp

memory/2196-111-0x0000000071140000-0x0000000071494000-memory.dmp

memory/2196-122-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/3288-128-0x0000000006040000-0x0000000006394000-memory.dmp

memory/2140-129-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3288-136-0x0000000074A80000-0x0000000075230000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 995897d9b6d5c65cb9803817cc1a109d
SHA1 aba5e2fec6dfc2ce83f4ee0eea8b2616169ad631
SHA256 862ce3e9da5598c869d594cf3be2f4e51a50e80dd17180f29d3a1f629e9afe59
SHA512 fa2ed218196680871610467b07454eda69ed1a1069ffbdf601ebf8edb99910ce6eab55f6ce4457b60e1d649e1ca51927b16dab0645824c14638280bb3b7d78dc

memory/3288-137-0x0000000003010000-0x0000000003020000-memory.dmp

memory/3288-138-0x000000007FD90000-0x000000007FDA0000-memory.dmp

memory/3288-139-0x0000000070980000-0x00000000709CC000-memory.dmp

memory/3288-140-0x0000000071120000-0x0000000071474000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ce57b5dce0868245685f17d73c85aea1
SHA1 2811a64847b91d734e17ba35ee73a803ab680cac
SHA256 bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6
SHA512 2b18e1feaee10706bc024655949900db21f85b3da2d7e9aed5b55d5ca210057288c82d62d4125e84fbc9aec932c252e785d01c214518f66b719fbddff4e9fea7

memory/2140-155-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2b32246a426ac556033a383890e8ce8e
SHA1 83fd79684b36ccb0c3c89cdcd9a9400adc5ea233
SHA256 8505d32ffd4b5cdf326d77e3e877e6a5147c3615bd0063cb708e99d5e682a010
SHA512 0a37b41159fd758d876c80f9995f54957f91b6782ee8723c868cc70f2fdddd1f6a4259610c3f79e7f0e15e86a14f5cbd90d6769172f8671d2568cb58d7517424

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9b7b31db981fd77ac067cdd5eb7e1d60
SHA1 534f5ba4fb3a58d39b161f454cf2eae0efdca04c
SHA256 4c31bff0fa44caea176745e06e8b649220472ceca224cd8e7fdb617158b268fd
SHA512 6cafa8f721a9017bd00029f6d229614616419875d8bb6743f4c5973e44e8b885771359935fe1c602931b535ec0819cbbd58c31a40ff79b18210157ae3834fbfe

memory/336-224-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e6cb31ca7c4c03dd72e4a9fad192d78b
SHA1 d1ff0ef9e5f24663bbed56124a8d300d5ff5e461
SHA256 c061b470289e541694c6025126212c1b08b526a4521fd4802130a5f553878481
SHA512 9c7c6fc388e9772555bac1a97686a48d7d2d4287aabcd556b91f204a14a335438e489f61b942338a8592f2041ad3c0dd9b578c395c656c9fef6210534e4ee82d

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/336-257-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4768-265-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/336-264-0x0000000000400000-0x0000000003118000-memory.dmp

memory/336-268-0x0000000000400000-0x0000000003118000-memory.dmp

memory/336-269-0x0000000000400000-0x0000000003118000-memory.dmp

memory/336-271-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1184-272-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/336-273-0x0000000000400000-0x0000000003118000-memory.dmp

memory/336-275-0x0000000000400000-0x0000000003118000-memory.dmp

memory/336-277-0x0000000000400000-0x0000000003118000-memory.dmp

memory/336-279-0x0000000000400000-0x0000000003118000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 15:43

Reported

2024-04-17 15:45

Platform

win11-20240412-en

Max time kernel

152s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\system32\cmd.exe
PID 2780 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2816 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2780 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\rss\csrss.exe
PID 2780 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\rss\csrss.exe
PID 2780 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe C:\Windows\rss\csrss.exe
PID 2124 wrote to memory of 712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 712 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2184 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2184 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2184 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3912 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3912 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3912 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1500 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2124 wrote to memory of 1500 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 464 wrote to memory of 692 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 464 wrote to memory of 692 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 464 wrote to memory of 692 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 692 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 692 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 692 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe

"C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe

"C:\Users\Admin\AppData\Local\Temp\bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2cb9f580-758b-4584-af2c-3c575797da9d.uuid.allstatsin.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 server16.allstatsin.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
NL 74.125.128.127:19302 stun2.l.google.com udp
BG 185.82.216.104:443 server16.allstatsin.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.104:443 server16.allstatsin.ru tcp
BG 185.82.216.104:443 server16.allstatsin.ru tcp

Files

memory/1344-1-0x0000000004F70000-0x0000000005369000-memory.dmp

memory/1344-2-0x0000000005370000-0x0000000005C5B000-memory.dmp

memory/1344-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5108-4-0x00000000046D0000-0x0000000004706000-memory.dmp

memory/5108-5-0x0000000004DB0000-0x00000000053DA000-memory.dmp

memory/5108-6-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/5108-7-0x0000000004770000-0x0000000004780000-memory.dmp

memory/5108-8-0x0000000004CE0000-0x0000000004D02000-memory.dmp

memory/5108-9-0x00000000055D0000-0x0000000005636000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqsd4ygb.44q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5108-10-0x0000000005640000-0x00000000056A6000-memory.dmp

memory/5108-19-0x00000000057A0000-0x0000000005AF7000-memory.dmp

memory/5108-20-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

memory/5108-21-0x0000000005BE0000-0x0000000005C2C000-memory.dmp

memory/5108-22-0x0000000006160000-0x00000000061A6000-memory.dmp

memory/5108-23-0x0000000004770000-0x0000000004780000-memory.dmp

memory/5108-24-0x000000007FBD0000-0x000000007FBE0000-memory.dmp

memory/5108-25-0x0000000006FE0000-0x0000000007014000-memory.dmp

memory/5108-26-0x0000000070720000-0x000000007076C000-memory.dmp

memory/5108-27-0x00000000708A0000-0x0000000070BF7000-memory.dmp

memory/5108-36-0x0000000006FC0000-0x0000000006FDE000-memory.dmp

memory/5108-37-0x0000000007020000-0x00000000070C4000-memory.dmp

memory/5108-38-0x0000000007790000-0x0000000007E0A000-memory.dmp

memory/5108-39-0x0000000007150000-0x000000000716A000-memory.dmp

memory/5108-40-0x0000000007190000-0x000000000719A000-memory.dmp

memory/5108-41-0x00000000072A0000-0x0000000007336000-memory.dmp

memory/5108-42-0x00000000071B0000-0x00000000071C1000-memory.dmp

memory/5108-43-0x0000000007200000-0x000000000720E000-memory.dmp

memory/5108-44-0x0000000007210000-0x0000000007225000-memory.dmp

memory/5108-45-0x0000000007260000-0x000000000727A000-memory.dmp

memory/1344-46-0x0000000000400000-0x0000000003118000-memory.dmp

memory/5108-47-0x0000000007250000-0x0000000007258000-memory.dmp

memory/5108-50-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/1344-52-0x0000000004F70000-0x0000000005369000-memory.dmp

memory/2780-53-0x0000000004E40000-0x000000000523D000-memory.dmp

memory/2780-54-0x0000000005240000-0x0000000005B2B000-memory.dmp

memory/2780-55-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1344-65-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1276-64-0x00000000056F0000-0x0000000005A47000-memory.dmp

memory/1276-66-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/1276-67-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/1276-68-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/1276-70-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/1276-71-0x0000000070720000-0x000000007076C000-memory.dmp

memory/1276-72-0x00000000708C0000-0x0000000070C17000-memory.dmp

memory/1276-81-0x0000000006C50000-0x0000000006CF4000-memory.dmp

memory/1276-82-0x0000000006F90000-0x0000000006FA1000-memory.dmp

memory/1276-83-0x0000000006FE0000-0x0000000006FF5000-memory.dmp

memory/2780-84-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1276-87-0x00000000744B0000-0x0000000074C61000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/1976-90-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/1976-91-0x0000000004D90000-0x0000000004DA0000-memory.dmp

memory/1976-100-0x0000000005CB0000-0x0000000006007000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 45a111ad8cdd4823f7e5ccd27c53a700
SHA1 7a4b6d71ed7f43326739ad40da230851716ab056
SHA256 43960d6a6bf4fe6b3cbddf83f77f7754e947d5049c689ca25c1256bc5382edf3
SHA512 4a5ec769d656f27cf3c7ba3542e7a59d571d278aea54762d768142f73543f2e35d139e7ac925b5ba25091841e958c698b64e14057459412cf5e09e159a5ebfc6

memory/2780-102-0x0000000004E40000-0x000000000523D000-memory.dmp

memory/1976-103-0x0000000004D90000-0x0000000004DA0000-memory.dmp

memory/1976-104-0x0000000070720000-0x000000007076C000-memory.dmp

memory/1976-105-0x0000000070930000-0x0000000070C87000-memory.dmp

memory/2780-114-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1976-116-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/4720-118-0x0000000004C90000-0x0000000004CA0000-memory.dmp

memory/4720-117-0x00000000744B0000-0x0000000074C61000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 eb32f610c2dd5d2c8d3207ab94001b8d
SHA1 327bca1288a1d71f95a86ecd8ed6c866167a8b6a
SHA256 d19fa0096ca26f729ab8f3fa3a8ef1a84a1e8ebf915577aedafa6d55859d4619
SHA512 e1f64c01f35f6b1b1a68e1442e872743eb17643168e1c459ed7bdea510e2c7b5b444b3e69500b2fbe880b39d45690370ecf8d067af906664e249b6dead50004a

memory/4720-128-0x0000000004C90000-0x0000000004CA0000-memory.dmp

memory/4720-130-0x0000000070720000-0x000000007076C000-memory.dmp

memory/4720-131-0x00000000708A0000-0x0000000070BF7000-memory.dmp

memory/4720-140-0x000000007F490000-0x000000007F4A0000-memory.dmp

memory/4720-142-0x00000000744B0000-0x0000000074C61000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ce57b5dce0868245685f17d73c85aea1
SHA1 2811a64847b91d734e17ba35ee73a803ab680cac
SHA256 bf1497d3bcdbe24885b0fc93de19b08fc8e091f1083c282bb5f51d4940d3c3f6
SHA512 2b18e1feaee10706bc024655949900db21f85b3da2d7e9aed5b55d5ca210057288c82d62d4125e84fbc9aec932c252e785d01c214518f66b719fbddff4e9fea7

memory/2780-145-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2124-149-0x0000000005200000-0x0000000005600000-memory.dmp

memory/2124-150-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 752dc48ac77dca51b111ddbabdf34657
SHA1 da9fd4fd4d75880f82f1e09f42e9591a65d998cb
SHA256 ff05a6a6e508b53b754b53f03cf11616d5166f4705380f7fcce6bb43aff3d8e8
SHA512 5f958f3c4cd00c07022b99d9d8b792ce7a54e8866b75a27feb7de22e00c50991f00896e908151b3ecc132c68d2402c1cafde4df286ee7d5cf7e482638742b05d

memory/2124-175-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 615717d98849f436abe9d71832dc7453
SHA1 95d5566ef51954cf6899662547744e37e5076088
SHA256 6d97669c55dd91dec85dc53dfd9430013967b5a2f0d30fb538733556e2d23ee6
SHA512 5d45aef4e61ffea1b549de0b8a91a5fdcc353eacbd1b1581237dd697052dc0c68674e87ea9d037b74e91d8186e8c28c9a12fceb17cdba5aca3198d54ad6e7875

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e2e2781e9d19e079d40980f35d8fc6bc
SHA1 ae3aa2bd5391dba9b0dba75782091192a4e94c14
SHA256 9bd67bd23f2d75a11ad077900319143944933171982c37cf372d17c135849484
SHA512 94ce7a8d27a223b573bf0417ef75ddf18ceac3ce7c3e1e9a6d3970f2d9262c2be61cc88f577b534c07a10d4e7f6158fa4f31d7c086687eb42ebd29c7fb6ce090

memory/2124-238-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2124-245-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/464-253-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2124-255-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2124-258-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2124-261-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2124-264-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3304-266-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2124-267-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2124-270-0x0000000000400000-0x0000000003118000-memory.dmp