Malware Analysis Report

2025-08-06 03:33

Sample ID 240419-thf8cage73
Target ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca
SHA256 ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca

Threat Level: Known bad

The file ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 16:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 16:03

Reported

2024-04-19 16:06

Platform

win10v2004-20240226-en

Max time kernel

157s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1140 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1140 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1140 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\system32\cmd.exe
PID 4072 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\system32\cmd.exe
PID 4808 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4808 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4072 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\rss\csrss.exe
PID 4072 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\rss\csrss.exe
PID 4072 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\rss\csrss.exe
PID 3516 wrote to memory of 3356 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 3356 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 3356 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 2424 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 2424 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 2424 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 3828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 3828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 3828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 876 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3516 wrote to memory of 876 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2692 wrote to memory of 4404 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 4404 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 4404 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4404 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4404 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe

"C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe

"C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 e8625a5d-bee6-4f5e-bf6e-e222ad9a1a9c.uuid.statstraffic.org udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server4.statstraffic.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server4.statstraffic.org tcp
US 3.33.249.248:3478 stun.sipgate.net udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.104:443 server4.statstraffic.org tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/1140-1-0x0000000003A60000-0x0000000003E62000-memory.dmp

memory/1140-2-0x0000000003E70000-0x000000000475B000-memory.dmp

memory/1140-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1140-4-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2324-5-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/2324-6-0x00000000047A0000-0x00000000047D6000-memory.dmp

memory/2324-7-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/2324-8-0x0000000004EF0000-0x0000000005518000-memory.dmp

memory/2324-9-0x0000000005610000-0x0000000005632000-memory.dmp

memory/2324-11-0x0000000005730000-0x0000000005796000-memory.dmp

memory/2324-12-0x00000000057A0000-0x0000000005806000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rlwujrf1.bko.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2324-18-0x0000000005810000-0x0000000005B64000-memory.dmp

memory/1140-23-0x0000000003A60000-0x0000000003E62000-memory.dmp

memory/1140-24-0x0000000003E70000-0x000000000475B000-memory.dmp

memory/2324-25-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

memory/2324-26-0x0000000005E80000-0x0000000005ECC000-memory.dmp

memory/2324-28-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/2324-29-0x00000000062A0000-0x00000000062E4000-memory.dmp

memory/2324-30-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/2324-31-0x00000000070B0000-0x0000000007126000-memory.dmp

memory/2324-32-0x00000000077B0000-0x0000000007E2A000-memory.dmp

memory/2324-33-0x0000000007150000-0x000000000716A000-memory.dmp

memory/2324-34-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/2324-35-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/2324-36-0x0000000007320000-0x0000000007352000-memory.dmp

memory/2324-37-0x0000000070CD0000-0x0000000070D1C000-memory.dmp

memory/2324-38-0x0000000071080000-0x00000000713D4000-memory.dmp

memory/2324-48-0x00000000072E0000-0x00000000072FE000-memory.dmp

memory/2324-49-0x0000000007360000-0x0000000007403000-memory.dmp

memory/2324-50-0x0000000007450000-0x000000000745A000-memory.dmp

memory/1140-51-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2324-53-0x0000000007580000-0x0000000007616000-memory.dmp

memory/2324-54-0x0000000007410000-0x0000000007421000-memory.dmp

memory/2324-56-0x0000000007440000-0x000000000744E000-memory.dmp

memory/2324-57-0x0000000007560000-0x0000000007574000-memory.dmp

memory/2324-58-0x0000000007640000-0x000000000765A000-memory.dmp

memory/2324-59-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/2324-60-0x0000000007630000-0x0000000007638000-memory.dmp

memory/2324-63-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/1140-64-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4072-66-0x0000000003B40000-0x0000000003F45000-memory.dmp

memory/4072-67-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4344-68-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4344-69-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/4344-70-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/4344-76-0x0000000005B20000-0x0000000005E74000-memory.dmp

memory/4344-81-0x00000000064C0000-0x000000000650C000-memory.dmp

memory/4344-82-0x000000007F950000-0x000000007F960000-memory.dmp

memory/4344-83-0x0000000070DD0000-0x0000000070E1C000-memory.dmp

memory/4344-84-0x0000000071560000-0x00000000718B4000-memory.dmp

memory/4344-94-0x0000000007380000-0x0000000007423000-memory.dmp

memory/4344-95-0x0000000007670000-0x0000000007681000-memory.dmp

memory/4344-96-0x00000000076E0000-0x00000000076F4000-memory.dmp

memory/4344-99-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4072-100-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4072-102-0x0000000003B40000-0x0000000003F45000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4984-103-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4984-104-0x0000000002E50000-0x0000000002E60000-memory.dmp

memory/4984-105-0x0000000002E50000-0x0000000002E60000-memory.dmp

memory/4072-106-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 271151ab0701e9af2b1e79272d193257
SHA1 66b77b0d0b1b9ee9afb06c3ccf23e6ca1001e210
SHA256 242f618e8f3f0d42c9819852a82a01b758dd133112106b337c1a2cdd80b08ece
SHA512 24ceac0aaead8f5311ff7086da0d3ff04644dd00c1af1b6540152366ef4f1257e8b6109a409e50e7ad792d31029dbe163d2c3ca4314cfbba9f44f4b6c0be5d93

memory/4984-117-0x0000000002E50000-0x0000000002E60000-memory.dmp

memory/4984-118-0x0000000070DD0000-0x0000000070E1C000-memory.dmp

memory/4984-119-0x0000000071560000-0x00000000718B4000-memory.dmp

memory/4984-130-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4072-131-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1180-132-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1180-134-0x0000000004930000-0x0000000004940000-memory.dmp

memory/1180-133-0x0000000004930000-0x0000000004940000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d176d235f78f7d92f7199469c08ce971
SHA1 b08e6d36844adb22345f1658873f68d3e03a9419
SHA256 7edb035eb564e777afd275fc3f99568128c0bf8feb670be8d4413d7264104cd3
SHA512 3ca733d0a36749dca7e065f630962816f14f28419700586f306eb4d3cd8d41ff2e23a8fafc7c1b862ff0b9c10ba4aed197f6d8ad3d045bd856379c6c71d9e95f

memory/1180-145-0x000000007FDF0000-0x000000007FE00000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9900b35a781acf70691440b543a51462
SHA1 e1c509f4e5d9c4d426a876e8a75608e0e7f47f3c
SHA256 ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca
SHA512 c42217029baaefbc0789c4691973b36621fb312e073c39070a5121a686ac77c894fffb90ecace1e4af9ec7211662efe3057169dbc4f581a9dd2081c9a39c6a88

memory/4072-164-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4e406ec8151b7898677bdee3a3415a7f
SHA1 7184fd9c0bf5914d41b76805be9901a8ef1cc8c5
SHA256 8788386c9a6272f7ada577414d0df278545f2e872dfd4c799c6e99e91ff8681c
SHA512 97bac43b4eb7943d7f2370065bcd5abcadc637b1235f103b5857fa034459c50f7ebb8fa85f68efd727cbf4fdb6c7b13f1f89181307a14acff76a8af8fd107478

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d3876c62651a8a47eda3ad0b772d7761
SHA1 5076117f64e17151a26fbaa4d0947cd7ee6081e5
SHA256 8398600368b080c020d522811565f30d456a491ec194b8cca2c4f4a62f21b706
SHA512 478cbee0ebd96df440a0d2e9571205e6360a8a3adb463ce7d4b7cc94dced3e1cfd1a7d68e8bffe86a5b9854e29271cae751da6849db6c6f428a84fc79d76604a

memory/3516-213-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b289a145f3689cc3d3a7de6811b1be79
SHA1 0f1f43d66155cad1b9456e5381e84924ca954235
SHA256 8ffed1714c3ed3cad67b6c4c6bdd2019c210b15be4f1b3a40d7dc971e6f8688e
SHA512 0c01cbf5f40abfd1f7949eaad8eb4c34b6b17a1db10f9ce3cbd828d3fe27db5c32cd05f15a94125ef5f93bbfc31f7295c3cf79eb5094fd5c16ed8d692a54e1e7

memory/3516-260-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3516-267-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2692-274-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3516-277-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3420-278-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3516-280-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3516-283-0x0000000000400000-0x0000000001DFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 16:03

Reported

2024-04-19 16:06

Platform

win11-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\system32\cmd.exe
PID 3168 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\system32\cmd.exe
PID 4612 wrote to memory of 1352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4612 wrote to memory of 1352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3168 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\rss\csrss.exe
PID 3168 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\rss\csrss.exe
PID 3168 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe C:\Windows\rss\csrss.exe
PID 3176 wrote to memory of 4824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 4824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 4824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 3732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 3732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 3732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 2116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 2116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 2116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 236 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3176 wrote to memory of 236 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4892 wrote to memory of 3232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 3232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 3232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3232 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3232 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe

"C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe

"C:\Users\Admin\AppData\Local\Temp\ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 3df34016-7a60-4aed-93ab-9ac42d28d72a.uuid.statstraffic.org udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server1.statstraffic.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
NL 74.125.128.127:19302 stun2.l.google.com udp
BG 185.82.216.104:443 server1.statstraffic.org tcp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.104:443 server1.statstraffic.org tcp
NL 52.111.243.29:443 tcp
BG 185.82.216.104:443 server1.statstraffic.org tcp

Files

memory/4936-1-0x0000000003C40000-0x0000000004043000-memory.dmp

memory/4936-2-0x0000000004050000-0x000000000493B000-memory.dmp

memory/4936-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1232-4-0x0000000003270000-0x00000000032A6000-memory.dmp

memory/1232-5-0x0000000074A80000-0x0000000075231000-memory.dmp

memory/1232-7-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/1232-6-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/1232-8-0x00000000059C0000-0x0000000005FEA000-memory.dmp

memory/1232-9-0x0000000005880000-0x00000000058A2000-memory.dmp

memory/1232-10-0x0000000006160000-0x00000000061C6000-memory.dmp

memory/1232-11-0x0000000006240000-0x00000000062A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_turs0ytx.anr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1232-20-0x00000000062B0000-0x0000000006607000-memory.dmp

memory/1232-21-0x0000000006730000-0x000000000674E000-memory.dmp

memory/1232-22-0x0000000006760000-0x00000000067AC000-memory.dmp

memory/1232-23-0x00000000078B0000-0x00000000078F6000-memory.dmp

memory/1232-24-0x000000007FE00000-0x000000007FE10000-memory.dmp

memory/1232-25-0x0000000007B40000-0x0000000007B74000-memory.dmp

memory/1232-26-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/1232-27-0x0000000070EC0000-0x0000000071217000-memory.dmp

memory/1232-36-0x0000000007BA0000-0x0000000007BBE000-memory.dmp

memory/1232-37-0x0000000007BC0000-0x0000000007C64000-memory.dmp

memory/1232-38-0x0000000008330000-0x00000000089AA000-memory.dmp

memory/1232-39-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

memory/1232-40-0x0000000007D30000-0x0000000007D3A000-memory.dmp

memory/1232-41-0x0000000007E40000-0x0000000007ED6000-memory.dmp

memory/1232-42-0x0000000007D50000-0x0000000007D61000-memory.dmp

memory/1232-43-0x0000000007DA0000-0x0000000007DAE000-memory.dmp

memory/1232-44-0x0000000007DB0000-0x0000000007DC5000-memory.dmp

memory/1232-45-0x0000000007E00000-0x0000000007E1A000-memory.dmp

memory/1232-46-0x0000000007E30000-0x0000000007E38000-memory.dmp

memory/1232-49-0x0000000074A80000-0x0000000075231000-memory.dmp

memory/3168-51-0x0000000003B20000-0x0000000003F1E000-memory.dmp

memory/3168-52-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4936-53-0x0000000003C40000-0x0000000004043000-memory.dmp

memory/3168-54-0x0000000003F20000-0x000000000480B000-memory.dmp

memory/4052-55-0x0000000074A80000-0x0000000075231000-memory.dmp

memory/4052-62-0x0000000002FF0000-0x0000000003000000-memory.dmp

memory/4052-66-0x0000000002FF0000-0x0000000003000000-memory.dmp

memory/4052-56-0x0000000005E80000-0x00000000061D7000-memory.dmp

memory/4052-67-0x000000007F5C0000-0x000000007F5D0000-memory.dmp

memory/4052-68-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/4052-69-0x00000000716C0000-0x0000000071A17000-memory.dmp

memory/4052-78-0x00000000076C0000-0x0000000007764000-memory.dmp

memory/4936-79-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4052-81-0x0000000002FF0000-0x0000000003000000-memory.dmp

memory/4052-80-0x0000000002FF0000-0x0000000003000000-memory.dmp

memory/4052-82-0x00000000079E0000-0x00000000079F1000-memory.dmp

memory/4052-83-0x0000000007A30000-0x0000000007A45000-memory.dmp

memory/4052-86-0x0000000074A80000-0x0000000075231000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2900-89-0x0000000074A80000-0x0000000075231000-memory.dmp

memory/2900-90-0x00000000048F0000-0x0000000004900000-memory.dmp

memory/2900-96-0x0000000005560000-0x00000000058B7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8f5fd945ff701929e48bc75abc667b35
SHA1 7d8b0d8becd37de7a670d348f18c53cdddf0e47c
SHA256 2ac2480ac0393f53cc54414c47b0e07b9ae1554267770bce6aff5eade78f56b1
SHA512 ce815b92e6e1919780d5267381dfd78af3a9b01de0cde7f0ea4a3b445558d205064450684bd9d59e646e087501bdd9e296f75e256e19931b628e15ae882d08a9

memory/2900-101-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/2900-102-0x0000000070F40000-0x0000000071297000-memory.dmp

memory/3168-111-0x0000000003B20000-0x0000000003F1E000-memory.dmp

memory/3168-112-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2900-113-0x00000000048F0000-0x0000000004900000-memory.dmp

memory/2900-114-0x00000000048F0000-0x0000000004900000-memory.dmp

memory/2900-116-0x0000000074A80000-0x0000000075231000-memory.dmp

memory/3396-117-0x0000000074A80000-0x0000000075231000-memory.dmp

memory/3396-118-0x0000000005290000-0x00000000052A0000-memory.dmp

memory/3396-127-0x0000000006050000-0x00000000063A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 be688eed38ce6b2fa083e238a137266a
SHA1 a4a7699e97793327ae7d0a6d169b7463db939b68
SHA256 fca10cb4634134c05ba4a61eb871ca3378f77424a168d0139272710ce9ca0d99
SHA512 5511e04c99dc173d1246ddc079b6bbb3edd5d1cb1b718818505eb3f95194af1774864516b60d7629ef3785bbdbc0f43adae5882e3cdb2f75bb722ea67d3db902

memory/3396-129-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/3396-130-0x0000000070E70000-0x00000000711C7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9900b35a781acf70691440b543a51462
SHA1 e1c509f4e5d9c4d426a876e8a75608e0e7f47f3c
SHA256 ba096aa71726bcf62c0a7c08580ba5a17867d2a3386356c2963628c91754adca
SHA512 c42217029baaefbc0789c4691973b36621fb312e073c39070a5121a686ac77c894fffb90ecace1e4af9ec7211662efe3057169dbc4f581a9dd2081c9a39c6a88

memory/3168-148-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0f7d820fe45677ec3ce83989a3aed8c8
SHA1 1e3a9a79e056c186a35a37635d7be97fbf7eb3b5
SHA256 20cd604d1179b50b3d5f3e590febd5ae06c3df02d2adf106e5f6395fb0599902
SHA512 129fcce8493e283a58cff0200961ee4e821f92cd1a15f273dc718d67b6d13a5338eee84dd0779caa9f90430932f563316772ba1bc1cef89f42a1793732af9ba4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 84f3a382a32cfea1e3470fdbd7c72e9b
SHA1 aa47a85a49cd33faeebe682549f1ae6eae02a91f
SHA256 ba9628b72475086f808db24cec81c1c519442873131e67bc66be329f16d9f48f
SHA512 34fbb7543441ebbb290823a8d39419770d80a1c38bb42e790f6088a6ae7e361ca86f68b9411453da9262abc27f6ec86da7a766fddccfb55b1a678e149d6d6192

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e46fdce6137d496e97a90b0af85f514d
SHA1 0e5dc00b18fc70bd94195181f9c5a5c20d787ecd
SHA256 55ce34344f042dc0a6101c549ff1cdf8a19911e56eb08f339dad1d6a7edd305f
SHA512 d6a36aa47d3485f5105244acb00383a44becc3856b105db9a72c6ac73e219ebbd2ed16ba40964f19b8279de77cfbb8a375c3bb47bae1b76f54fc635cd3ebb03b

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3176-242-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4892-251-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3176-253-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3176-256-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2128-257-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3176-260-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3176-264-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2128-265-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3176-268-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3176-274-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3176-277-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3176-281-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3176-285-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3176-288-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3176-292-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3176-296-0x0000000000400000-0x0000000001DFD000-memory.dmp