Malware Analysis Report

2025-01-02 06:29

Sample ID 240515-3jwtvshg7y
Target 68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca
SHA256 68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca

Threat Level: Known bad

The file 68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:33

Reported

2024-05-15 23:35

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4020 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\system32\cmd.exe
PID 3220 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\system32\cmd.exe
PID 3128 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3128 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3220 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\rss\csrss.exe
PID 3220 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\rss\csrss.exe
PID 3220 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\rss\csrss.exe
PID 1112 wrote to memory of 2604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 2604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 2604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 3868 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 3868 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 3868 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 888 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 876 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1112 wrote to memory of 876 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 620 wrote to memory of 2584 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 2584 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 2584 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2584 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2584 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe

"C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe

"C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
BE 2.17.107.122:443 www.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 122.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 5663b509-a5bd-43da-a54b-6e4ee4282b47.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server7.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.96:443 server7.thestatsfiles.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.96:443 server7.thestatsfiles.ru tcp

Files

memory/4020-1-0x0000000004860000-0x0000000004C5C000-memory.dmp

memory/4020-2-0x0000000004C60000-0x000000000554B000-memory.dmp

memory/4020-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1600-6-0x000000007455E000-0x000000007455F000-memory.dmp

memory/1600-5-0x0000000002C60000-0x0000000002C96000-memory.dmp

memory/1600-8-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4020-4-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1600-9-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/1600-7-0x0000000005470000-0x0000000005A98000-memory.dmp

memory/1600-10-0x0000000005380000-0x00000000053A2000-memory.dmp

memory/1600-12-0x0000000005B10000-0x0000000005B76000-memory.dmp

memory/1600-11-0x0000000005AA0000-0x0000000005B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fl3p3gse.vx1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1600-22-0x0000000005BC0000-0x0000000005F14000-memory.dmp

memory/1600-23-0x0000000006290000-0x00000000062AE000-memory.dmp

memory/1600-24-0x00000000062C0000-0x000000000630C000-memory.dmp

memory/1600-25-0x00000000067C0000-0x0000000006804000-memory.dmp

memory/1600-26-0x0000000007570000-0x00000000075E6000-memory.dmp

memory/1600-27-0x0000000007C70000-0x00000000082EA000-memory.dmp

memory/1600-28-0x0000000007610000-0x000000000762A000-memory.dmp

memory/1600-29-0x00000000077D0000-0x0000000007802000-memory.dmp

memory/1600-30-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/1600-42-0x0000000007810000-0x000000000782E000-memory.dmp

memory/1600-32-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/1600-31-0x0000000070BC0000-0x0000000070F14000-memory.dmp

memory/1600-43-0x0000000007830000-0x00000000078D3000-memory.dmp

memory/1600-44-0x0000000007920000-0x000000000792A000-memory.dmp

memory/1600-45-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/1600-46-0x0000000007A00000-0x0000000007A96000-memory.dmp

memory/1600-47-0x0000000007960000-0x0000000007971000-memory.dmp

memory/1600-48-0x00000000079A0000-0x00000000079AE000-memory.dmp

memory/1600-49-0x00000000079B0000-0x00000000079C4000-memory.dmp

memory/1600-50-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

memory/1600-51-0x00000000079E0000-0x00000000079E8000-memory.dmp

memory/1600-54-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4020-56-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4020-57-0x0000000004860000-0x0000000004C5C000-memory.dmp

memory/4020-58-0x0000000004C60000-0x000000000554B000-memory.dmp

memory/2024-59-0x0000000006300000-0x0000000006654000-memory.dmp

memory/2024-69-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/2024-70-0x0000000070B70000-0x0000000070EC4000-memory.dmp

memory/2024-80-0x0000000007B80000-0x0000000007C23000-memory.dmp

memory/2024-81-0x0000000007E40000-0x0000000007E51000-memory.dmp

memory/4020-83-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3220-82-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2024-84-0x0000000007E90000-0x0000000007EA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3060-93-0x0000000005350000-0x00000000056A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d6413d6ab634fc6cf490ebdf9bbb26cc
SHA1 3d0c77d2057c155dfbbbf17b164877e834768ca3
SHA256 cad56643f239b02992f751528386a789da0c7258326a0936090a200b245e194a
SHA512 84f845cd75346512c12bf4398a4ce8465020d6edf98268f82776e46d1469eec1ef948b4f3fce430c5eced598676e9f846dad865f36188a618a75571f308cf8eb

memory/3060-99-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/3060-100-0x0000000070B90000-0x0000000070EE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bb52f2814ffcf4e1b7319774ef2d34fd
SHA1 d299a97e36d7a9efbe5ad9d1f8aa3628d8595c93
SHA256 4ba48534ffb7e4377ae5fd2a118a2430b3684cb95658cd9d8957f164a044b450
SHA512 2df05f6394640d9fbe051924c50f523dd5ee9a670354aa6c90991c66bec18b9b56bcc80a520df4026d99ed64aa2848decfe6f74deaaf4b7d94926d89c60a95ff

memory/2272-122-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/2272-123-0x0000000070B70000-0x0000000070EC4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7f1072397cc1ba27d16fd148785013d0
SHA1 acf6c1c60aef02881427125404a2aefe6f281c3c
SHA256 68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca
SHA512 e057dff8fe051043d23dd4a6bdd69ff90c4e6fc3d364030bdd2b9b1908125dcd901528dfe298b5fcbfb17755507ac97bb747f1def88c66f840f56a742bb7d35a

memory/3220-139-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2604-150-0x0000000005AD0000-0x0000000005E24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a3f581d1bd3e36df1335fee07fc2ce50
SHA1 902b2be36aaa7de97cff62e0cd1332a68a9572a0
SHA256 c76dfcb132236f45fc23c1acfa067fa9f32b3cc8647d91985b4dbd5dfbf68a92
SHA512 2ebda9f0c3a2d38203f9b9dd738f047fb5c7cda503eea57171bacd4883a791f6486988952e92754ef9b11eee15cef7a57d36f55b1d57e8fd71e32ec4e3df3f26

memory/2604-152-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/2604-153-0x0000000070570000-0x00000000708C4000-memory.dmp

memory/3868-166-0x0000000005EA0000-0x00000000061F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ce1bb9ddf27ecca3633d6cf5cbf04a00
SHA1 dc776f6345e224dc16d4c74b26ee29dd9680df1a
SHA256 e81afc6b742f00949bdfe54a46d115a15a8fb73df337ad3ec26eee9bc81b4af3
SHA512 7f04bd1f1ccd5a39eec643604f0cef93b91ba92cfb0d544263ae9b82c9136f172bc547c3146d83c1deed7e50f52c61a84cac01c1b85af473750e50804ddd8953

memory/1112-165-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3868-177-0x00000000065B0000-0x00000000065FC000-memory.dmp

memory/3868-178-0x0000000070310000-0x000000007035C000-memory.dmp

memory/3868-179-0x0000000070AA0000-0x0000000070DF4000-memory.dmp

memory/3868-189-0x0000000007780000-0x0000000007823000-memory.dmp

memory/3868-190-0x0000000007B00000-0x0000000007B11000-memory.dmp

memory/3868-191-0x0000000006350000-0x0000000006364000-memory.dmp

memory/888-202-0x00000000057A0000-0x0000000005AF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9a1359d0771d1320c677843c63cb82e2
SHA1 b50501edcc878dd2ae5cf01ce64214760d0892bf
SHA256 63b974ad7a8eec00d23cea8a0ea3f2dfefa39d883a823cc96b6a32ded8ae2f7d
SHA512 6c425c490c6f857b50f1c91931198f92ea25d2514dc6e63bc2f3af72f07c0987c3dd348fc0325e26e2a9a96138716dac5a572f64b30605375684b8a59d2aaca1

memory/888-205-0x0000000070310000-0x000000007035C000-memory.dmp

memory/888-206-0x0000000070490000-0x00000000707E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1112-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/620-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/620-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1112-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2068-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1112-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1112-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2068-244-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1112-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1112-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1112-252-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1112-256-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1112-261-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1112-265-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:33

Reported

2024-05-15 23:35

Platform

win11-20240419-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\system32\cmd.exe
PID 1552 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\system32\cmd.exe
PID 4784 wrote to memory of 4504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4784 wrote to memory of 4504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1552 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\rss\csrss.exe
PID 1552 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\rss\csrss.exe
PID 1552 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe C:\Windows\rss\csrss.exe
PID 2860 wrote to memory of 2304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1400 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 4468 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2860 wrote to memory of 4468 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1924 wrote to memory of 412 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 412 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 412 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 412 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 412 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe

"C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe

"C:\Users\Admin\AppData\Local\Temp\68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 f5fbb323-76fb-43d8-9fe6-d90e2bd498aa.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 server15.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.96:443 server15.thestatsfiles.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server15.thestatsfiles.ru tcp

Files

memory/2604-1-0x00000000048E0000-0x0000000004CDC000-memory.dmp

memory/2604-2-0x0000000004CE0000-0x00000000055CB000-memory.dmp

memory/2604-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1204-4-0x000000007498E000-0x000000007498F000-memory.dmp

memory/1204-5-0x0000000005200000-0x0000000005236000-memory.dmp

memory/1204-6-0x0000000005870000-0x0000000005E9A000-memory.dmp

memory/1204-7-0x0000000074980000-0x0000000075131000-memory.dmp

memory/1204-8-0x0000000074980000-0x0000000075131000-memory.dmp

memory/1204-9-0x0000000005820000-0x0000000005842000-memory.dmp

memory/1204-10-0x0000000006090000-0x00000000060F6000-memory.dmp

memory/1204-11-0x00000000061B0000-0x0000000006216000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oaokso5q.ima.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1204-17-0x0000000006220000-0x0000000006577000-memory.dmp

memory/1204-21-0x00000000066D0000-0x00000000066EE000-memory.dmp

memory/1204-22-0x00000000066F0000-0x000000000673C000-memory.dmp

memory/1204-23-0x0000000007690000-0x00000000076D6000-memory.dmp

memory/1204-27-0x0000000070E40000-0x0000000071197000-memory.dmp

memory/1204-37-0x0000000007B40000-0x0000000007BE4000-memory.dmp

memory/1204-26-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/1204-25-0x0000000007AE0000-0x0000000007B14000-memory.dmp

memory/1204-36-0x0000000007B20000-0x0000000007B3E000-memory.dmp

memory/1204-38-0x0000000074980000-0x0000000075131000-memory.dmp

memory/1204-39-0x0000000074980000-0x0000000075131000-memory.dmp

memory/2604-24-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1204-41-0x0000000007C70000-0x0000000007C8A000-memory.dmp

memory/1204-40-0x00000000082B0000-0x000000000892A000-memory.dmp

memory/1204-42-0x0000000007CB0000-0x0000000007CBA000-memory.dmp

memory/1204-43-0x0000000007DC0000-0x0000000007E56000-memory.dmp

memory/1204-44-0x0000000007CD0000-0x0000000007CE1000-memory.dmp

memory/1204-45-0x0000000007D20000-0x0000000007D2E000-memory.dmp

memory/1204-46-0x0000000007D30000-0x0000000007D45000-memory.dmp

memory/1204-47-0x0000000007D80000-0x0000000007D9A000-memory.dmp

memory/1204-48-0x0000000007DA0000-0x0000000007DA8000-memory.dmp

memory/1204-51-0x0000000074980000-0x0000000075131000-memory.dmp

memory/2604-53-0x00000000048E0000-0x0000000004CDC000-memory.dmp

memory/2604-54-0x0000000004CE0000-0x00000000055CB000-memory.dmp

memory/928-63-0x00000000055E0000-0x0000000005937000-memory.dmp

memory/2604-64-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/928-66-0x0000000070D70000-0x00000000710C7000-memory.dmp

memory/928-65-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/928-75-0x0000000006D20000-0x0000000006DC4000-memory.dmp

memory/928-76-0x0000000007020000-0x0000000007031000-memory.dmp

memory/928-77-0x0000000007070000-0x0000000007085000-memory.dmp

memory/2604-79-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1552-78-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 588fe44886e2d9bf703d4b8041658e61
SHA1 54a3f8167690c0f4d1985d82add7f61f656e32a7
SHA256 239b67e43979ecb2bb31ec05a790ac2df306560cb18fbe2b3ec6098db76905f1
SHA512 b18221aca021d6adf628cf6dd4d8e4ce4a87e52f316f73542352695819d0fc6c4f136cb61a2723d35d53258877eca77ec6c4c3c8ccb86465d6a01448e11ba83f

memory/3484-92-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/3484-93-0x0000000070E40000-0x0000000071197000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a819361fe71f179bd4ff442cac9cc3ff
SHA1 071b49d4bdd96f47893ea5857298d7a843608ba1
SHA256 9911648c3e862076dd849f9dccfd216140b532a9b331dda41635472d1c2e2b16
SHA512 6f72a6110584512c8fe9dfefdfd3e3921f50e345ef6298f9cf0b497d7a47aad03df8924fa3c3341355ad74e0b0147aaccf6562197e5b99ecf913894d62085d12

memory/1324-112-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/1324-113-0x0000000070E40000-0x0000000071197000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7f1072397cc1ba27d16fd148785013d0
SHA1 acf6c1c60aef02881427125404a2aefe6f281c3c
SHA256 68ba1bfe116b4cf0020fecece8c8a2387628a3ba35e84c7a440ba4b838d1d5ca
SHA512 e057dff8fe051043d23dd4a6bdd69ff90c4e6fc3d364030bdd2b9b1908125dcd901528dfe298b5fcbfb17755507ac97bb747f1def88c66f840f56a742bb7d35a

memory/1552-129-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fd9af5c99a0f25edf5d204230c80899c
SHA1 bf2a3ce2cbfc3f0959fc14d51cb71b6bff002b60
SHA256 f2a91e4715232c903375ae7c0aaea46181297e08af1925ca93dc8492507bc3d6
SHA512 cb25b3643db568bd445435c54efeb2e3a103d76bbc7ae5bdf001e18a282c2af934a5c8ea0c092f77daa316afbc52c7e24e1a58427bebc42be54058f04ccc4b1f

memory/2304-141-0x0000000070E40000-0x0000000071197000-memory.dmp

memory/2304-140-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/2860-150-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2084-154-0x00000000060E0000-0x0000000006437000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ab9e4771e41993e7d0f6e733bd562388
SHA1 333d3337e034742bb2a160ea66cc156809f84e76
SHA256 5d9617c6d8d5e094af12f9bbf7a4ebfa862e028fb7062741a1adf33a029d023d
SHA512 e85be9b89dc969eb128c12405d4ac645d1ebec68ea1f4122268b0f18d2546eae227cb88e2bf19dcdfbd82e2140d0fb78f49755036663a8b8e4bc0bc180f921ea

memory/2084-162-0x00000000066C0000-0x000000000670C000-memory.dmp

memory/2084-164-0x0000000070D20000-0x0000000071077000-memory.dmp

memory/2084-163-0x0000000070B10000-0x0000000070B5C000-memory.dmp

memory/2084-173-0x0000000007900000-0x00000000079A4000-memory.dmp

memory/2084-175-0x0000000007CB0000-0x0000000007CC1000-memory.dmp

memory/2084-176-0x00000000064B0000-0x00000000064C5000-memory.dmp

memory/1400-186-0x0000000005DF0000-0x0000000006147000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5cd5c028f55631f0884db5975f329b94
SHA1 4107c6d6eac769d7c3510b48974b761b462fb0a4
SHA256 ada2b92ea24e0fbf2310d6e5e5969b8ad987da122c1f1ef9821eff3e0d21705b
SHA512 0e44c0d491f8ef8a4f9f47972d55a8ab8b5675229437b59fe0072de63707aad53f83b52b4d731e845d6df150f4bc5ea83b33f6bf30bef2e05e5cbce7f1717f09

memory/1400-188-0x0000000070B10000-0x0000000070B5C000-memory.dmp

memory/1400-189-0x0000000070C90000-0x0000000070FE7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2860-205-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1924-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1924-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2860-215-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3884-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2860-218-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2860-224-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3884-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2860-227-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2860-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2860-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2860-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2860-243-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2860-247-0x0000000000400000-0x0000000002B0B000-memory.dmp