Malware Analysis Report

2025-01-02 06:34

Sample ID 240515-3xspcsah86
Target bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3
SHA256 bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3

Threat Level: Known bad

The file bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:53

Reported

2024-05-15 23:56

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\system32\cmd.exe
PID 1504 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\system32\cmd.exe
PID 3140 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3140 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1504 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\rss\csrss.exe
PID 1504 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\rss\csrss.exe
PID 1504 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\rss\csrss.exe
PID 2304 wrote to memory of 1156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1656 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1656 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1656 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 3752 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2304 wrote to memory of 3752 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4900 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4900 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4900 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe

"C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe

"C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 db647541-a121-438c-a871-a09b77c0f9e0.uuid.statsexplorer.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server9.statsexplorer.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.108:443 server9.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server9.statsexplorer.org tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.108:443 server9.statsexplorer.org tcp

Files

memory/1604-1-0x0000000004860000-0x0000000004C5C000-memory.dmp

memory/1604-2-0x0000000004C60000-0x000000000554B000-memory.dmp

memory/1604-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4000-4-0x00000000747DE000-0x00000000747DF000-memory.dmp

memory/4000-5-0x0000000003220000-0x0000000003256000-memory.dmp

memory/4000-7-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/4000-6-0x00000000058B0000-0x0000000005ED8000-memory.dmp

memory/4000-8-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/4000-9-0x0000000005810000-0x0000000005832000-memory.dmp

memory/4000-10-0x0000000005FE0000-0x0000000006046000-memory.dmp

memory/4000-11-0x0000000006180000-0x00000000061E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ottclbga.rqy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4000-21-0x00000000062F0000-0x0000000006644000-memory.dmp

memory/4000-22-0x00000000067C0000-0x00000000067DE000-memory.dmp

memory/4000-23-0x0000000006880000-0x00000000068CC000-memory.dmp

memory/4000-24-0x0000000006C10000-0x0000000006C54000-memory.dmp

memory/4000-25-0x0000000007B90000-0x0000000007C06000-memory.dmp

memory/4000-26-0x0000000008290000-0x000000000890A000-memory.dmp

memory/4000-27-0x0000000007B30000-0x0000000007B4A000-memory.dmp

memory/4000-29-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/4000-28-0x0000000007D70000-0x0000000007DA2000-memory.dmp

memory/4000-42-0x0000000007DB0000-0x0000000007DCE000-memory.dmp

memory/4000-31-0x00000000707F0000-0x0000000070B44000-memory.dmp

memory/4000-43-0x0000000007DD0000-0x0000000007E73000-memory.dmp

memory/4000-30-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/4000-45-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/4000-44-0x0000000007EC0000-0x0000000007ECA000-memory.dmp

memory/1604-32-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4000-46-0x0000000007FD0000-0x0000000008066000-memory.dmp

memory/4000-47-0x0000000007ED0000-0x0000000007EE1000-memory.dmp

memory/4000-48-0x0000000007F10000-0x0000000007F1E000-memory.dmp

memory/4000-49-0x0000000007F30000-0x0000000007F44000-memory.dmp

memory/4000-50-0x0000000007F80000-0x0000000007F9A000-memory.dmp

memory/4000-51-0x0000000007F70000-0x0000000007F78000-memory.dmp

memory/4000-54-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/1520-62-0x0000000005400000-0x0000000005754000-memory.dmp

memory/1604-66-0x0000000004860000-0x0000000004C5C000-memory.dmp

memory/1604-67-0x0000000004C60000-0x000000000554B000-memory.dmp

memory/1520-69-0x0000000070E10000-0x0000000071164000-memory.dmp

memory/1520-68-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/1520-79-0x0000000006C60000-0x0000000006D03000-memory.dmp

memory/1520-80-0x0000000006F90000-0x0000000006FA1000-memory.dmp

memory/1520-81-0x0000000006FE0000-0x0000000006FF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1892-94-0x0000000005C80000-0x0000000005FD4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 06da7612bd2d0133d1ff28e990610747
SHA1 20cb574461fb675477bf30681089c49597d9e291
SHA256 33ae74a1745a5afd30570d843ccaf61d1e54505ead4199039842c9102e564036
SHA512 6dbbf626716b8524b53befb8a7efdcad0d927a947e0de3f55712a443b81aa01b4563c81aafe35bf1048d9c147cb1cccf9476f9a0b239dd0e609519630bd5c8e4

memory/1892-96-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/1892-97-0x0000000070830000-0x0000000070B84000-memory.dmp

memory/1604-107-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 405e991bdbd06007b41ed492418f554a
SHA1 f5f281800004f5b0d796e08fae1d6217f0258a31
SHA256 247be20abc41c163bde80cf461d85539b48959a9986deb3906f1593eae3dbda4
SHA512 70fe39ec3c2d07eb9f4edfd4579a65959188583258c22852daa2d76ba21a26d2f9099e6404c789edb94ea59974c7dff37656a7d2830677de967cc8406492a78e

memory/4512-119-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/4512-120-0x00000000707F0000-0x0000000070B44000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c6d95408372f488cbf3a36d5a80448b9
SHA1 e7914c3d193fbcd3c2d6fbea3c0e912df44969c3
SHA256 bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3
SHA512 050b81c3676b1309e590c5c7fa1e7c5bbb31cbcf67f6a8ba84679df48b7f551181077b55934484f739618044b658afc7f83a8ebe6554b39639cee0057319f904

memory/1604-137-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1504-136-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 55e80b8ef5ea8111e2c034239b9ddc90
SHA1 2c3ecc7a0273efcd84ca0862355b790fd26fff39
SHA256 556061395fe8efc337805433246a43d4aa7f98b638af278d8caee7e880f87b85
SHA512 26835ad8c300ea2156e5768ff7d3c54afd0f090cc9db350e772fc13935ceb5ec4e9153d0131432d0d2431dcfc31eb4a14ec392b8d98ebc9b6c99f0304f3938a7

memory/1156-148-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/1156-149-0x00000000707F0000-0x0000000070B44000-memory.dmp

memory/1656-169-0x0000000006260000-0x00000000065B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bab4fc4318c45a7329a450d103c977e6
SHA1 10e944ecb34401ae39c18a47217ec730921884a4
SHA256 dec300573aedc42f7edb5032ff09cc5c3f51126486d1263041e4eb37cebc2f31
SHA512 979a4113e0b82ffe2af6c9c78722402d34ba0c6fecbfeb7f962673d5ae5e149471e7b9193308394bb372f390af363ac21685518ac29c4d2e9d5427d8ccf5bf23

memory/1656-171-0x0000000006980000-0x00000000069CC000-memory.dmp

memory/1656-172-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/1656-173-0x0000000070760000-0x0000000070AB4000-memory.dmp

memory/1656-183-0x0000000007B80000-0x0000000007C23000-memory.dmp

memory/1656-184-0x0000000007EA0000-0x0000000007EB1000-memory.dmp

memory/1656-185-0x00000000066E0000-0x00000000066F4000-memory.dmp

memory/1592-192-0x0000000005C50000-0x0000000005FA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f1540b0bdee2badfe5b8aee88d89f497
SHA1 1684555155bc1f130f1d00d36d63fbee5c33028d
SHA256 865c5f2585c69ad1b26d95ef3e45bb4bda8271e714757ecda75ef349ba9bfcf2
SHA512 f4fab6d5f83ea4b7fd29bbbc64128e29e5702370ed88a30f33873911c5e9683557cb347d9543f3a1b476fd9e08edd98d4a06f6cd7538bd22cb4f1d54006cda56

memory/1592-199-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/1592-200-0x0000000070D20000-0x0000000071074000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2304-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/696-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1392-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/696-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2304-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1392-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2304-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2304-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1392-240-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2304-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2304-243-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2304-247-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2304-251-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2304-255-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2304-259-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2304-264-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2304-267-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:53

Reported

2024-05-15 23:56

Platform

win11-20240426-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5100 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\system32\cmd.exe
PID 4936 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\system32\cmd.exe
PID 4212 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4212 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4936 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\rss\csrss.exe
PID 4936 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\rss\csrss.exe
PID 4936 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe C:\Windows\rss\csrss.exe
PID 2740 wrote to memory of 4604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2740 wrote to memory of 4604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2740 wrote to memory of 4604 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2740 wrote to memory of 4828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2740 wrote to memory of 4828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2740 wrote to memory of 4828 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2740 wrote to memory of 3556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2740 wrote to memory of 3556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2740 wrote to memory of 3556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2740 wrote to memory of 1996 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2740 wrote to memory of 1996 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1632 wrote to memory of 348 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 348 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 348 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 348 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 348 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 348 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe

"C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe

"C:\Users\Admin\AppData\Local\Temp\bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 482a35d8-2a5e-4ef8-bf23-071dc69bb4a0.uuid.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server12.statsexplorer.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
NL 52.111.243.31:443 tcp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
BG 185.82.216.108:443 server12.statsexplorer.org tcp

Files

memory/5100-1-0x0000000004950000-0x0000000004D4D000-memory.dmp

memory/5100-2-0x0000000004D50000-0x000000000563B000-memory.dmp

memory/5100-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3604-4-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

memory/3604-5-0x0000000000E00000-0x0000000000E36000-memory.dmp

memory/3604-6-0x0000000004EB0000-0x00000000054DA000-memory.dmp

memory/3604-7-0x0000000074CD0000-0x0000000075481000-memory.dmp

memory/3604-8-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

memory/3604-10-0x00000000054E0000-0x0000000005546000-memory.dmp

memory/3604-9-0x0000000004D50000-0x0000000004DB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z4qgdksb.kll.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3604-20-0x0000000074CD0000-0x0000000075481000-memory.dmp

memory/3604-19-0x0000000005550000-0x00000000058A7000-memory.dmp

memory/3604-21-0x0000000005A60000-0x0000000005A7E000-memory.dmp

memory/3604-22-0x0000000005AA0000-0x0000000005AEC000-memory.dmp

memory/3604-23-0x0000000006020000-0x0000000006066000-memory.dmp

memory/3604-24-0x0000000006E70000-0x0000000006EA4000-memory.dmp

memory/3604-26-0x0000000071190000-0x00000000714E7000-memory.dmp

memory/3604-37-0x0000000006EF0000-0x0000000006F94000-memory.dmp

memory/3604-36-0x0000000074CD0000-0x0000000075481000-memory.dmp

memory/3604-35-0x0000000006ED0000-0x0000000006EEE000-memory.dmp

memory/3604-25-0x0000000070F40000-0x0000000070F8C000-memory.dmp

memory/3604-38-0x0000000074CD0000-0x0000000075481000-memory.dmp

memory/3604-40-0x0000000007020000-0x000000000703A000-memory.dmp

memory/3604-39-0x0000000007660000-0x0000000007CDA000-memory.dmp

memory/3604-41-0x0000000007060000-0x000000000706A000-memory.dmp

memory/3604-42-0x0000000007170000-0x0000000007206000-memory.dmp

memory/3604-43-0x0000000007080000-0x0000000007091000-memory.dmp

memory/3604-44-0x00000000070D0000-0x00000000070DE000-memory.dmp

memory/3604-45-0x00000000070E0000-0x00000000070F5000-memory.dmp

memory/3604-46-0x0000000007130000-0x000000000714A000-memory.dmp

memory/3604-47-0x0000000007150000-0x0000000007158000-memory.dmp

memory/3604-50-0x0000000074CD0000-0x0000000075481000-memory.dmp

memory/5100-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5100-53-0x0000000004950000-0x0000000004D4D000-memory.dmp

memory/5100-54-0x0000000004D50000-0x000000000563B000-memory.dmp

memory/1952-63-0x0000000006310000-0x0000000006667000-memory.dmp

memory/1952-64-0x0000000070F40000-0x0000000070F8C000-memory.dmp

memory/1952-74-0x0000000007AC0000-0x0000000007B64000-memory.dmp

memory/1952-65-0x00000000710E0000-0x0000000071437000-memory.dmp

memory/1952-75-0x0000000007DF0000-0x0000000007E01000-memory.dmp

memory/1952-76-0x0000000007E40000-0x0000000007E55000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0b888f21dff806809971cbb7aa27c2d5
SHA1 c70c013a2bbe9f23239612e720216a5291436f45
SHA256 cb2568d3a853ec5ee1533a71723b3aa8736a4716a97f30d4e33061dfaa8ea37d
SHA512 caa22c1f7e80999736819b69891e81ab6c0c619caa9898e75b76fddf94b6ecf934617f029befe347d33d1351103c2a5aaa7070a9f145525155d8b2112fa4e3be

memory/4420-89-0x0000000070F40000-0x0000000070F8C000-memory.dmp

memory/4420-90-0x0000000071190000-0x00000000714E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4336f91c79d75b3293a909ad9dae2d3d
SHA1 117ec4b47301f2e9c65ad3ed6af24d9d4fd2820b
SHA256 9bce49b111b473aa0c90961fa2fa80133aa7275d1a55722277aaf56a38d33a05
SHA512 c55cfed601fa95b6fbc8d1d06d8a0df1eb2bb39968437f8f8eaee11964c0c98ff16ed95409763b81fa39aca9eea1923c29909ed516d38036a3083b68453d07a7

memory/5100-110-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4936-109-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1392-112-0x0000000070F40000-0x0000000070F8C000-memory.dmp

memory/1392-113-0x0000000071190000-0x00000000714E7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c6d95408372f488cbf3a36d5a80448b9
SHA1 e7914c3d193fbcd3c2d6fbea3c0e912df44969c3
SHA256 bf27bac5ca5fd8f1b991836540d8cb7c4a29b443579ab6a182ce805048d745e3
SHA512 050b81c3676b1309e590c5c7fa1e7c5bbb31cbcf67f6a8ba84679df48b7f551181077b55934484f739618044b658afc7f83a8ebe6554b39639cee0057319f904

memory/4936-128-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a717f6bb1968fa1e6142ca6477034985
SHA1 3a4a3482d641817d2652e4c748ab73e87fdbf9c4
SHA256 693ff6448503cc7afe988509599960996de18c474c395d865f0149e61a9f9561
SHA512 cec74913920e6065ffc49e7de07e360f5ee84c7f3a75e0fc4fe3d3c4cc1b0ec7b9e80e6fde730b4b9af5bdf91bdaf0b613f56a968a0ffa46024f32aa4d39884e

memory/4604-139-0x0000000070F40000-0x0000000070F8C000-memory.dmp

memory/4604-140-0x0000000071190000-0x00000000714E7000-memory.dmp

memory/4828-157-0x00000000059C0000-0x0000000005D17000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 90369192926cad116c3aa6f0e887792a
SHA1 2347967782b0e4f5b58c76e42b6f84139a13526f
SHA256 97e867b36217d883a2cca0938c29a0dd69d9420e89b04f6bc6cc9fa1c34e095d
SHA512 ce36b33ab999e6376e9ef6eda21c5ea43c93b5869ebbcb113fb6c96121bb490a631b87cf45be568bb5fc2bbd3196546c98f695186d5c91e8e6781d9511909498

memory/4828-160-0x0000000006290000-0x00000000062DC000-memory.dmp

memory/4828-161-0x0000000070E60000-0x0000000070EAC000-memory.dmp

memory/4828-162-0x0000000071090000-0x00000000713E7000-memory.dmp

memory/4828-171-0x0000000007240000-0x00000000072E4000-memory.dmp

memory/4828-172-0x0000000007590000-0x00000000075A1000-memory.dmp

memory/4828-173-0x0000000005DE0000-0x0000000005DF5000-memory.dmp

memory/3556-184-0x00000000062C0000-0x0000000006617000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 522541382059c75a539033e145693f21
SHA1 db4a399f56896ffc2d1a697e807b8b06ff2357a0
SHA256 9d9d0929e0af00382948569868b519273f2d88f1faca186736cd1375f9fea5c7
SHA512 67cb6b51b1e71880af383729bf1b5c3bebe24bd50e4d88439f1b9fb492f28741817c596cd8547437f151170c9fbad4b231e63f709661d16d6baf01cf99385e2f

memory/3556-186-0x0000000070E60000-0x0000000070EAC000-memory.dmp

memory/3556-187-0x0000000070FE0000-0x0000000071337000-memory.dmp

memory/2740-198-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2740-206-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1632-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4964-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1632-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2740-218-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4964-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2740-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4964-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2740-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2740-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2740-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2740-238-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2740-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2740-246-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2740-250-0x0000000000400000-0x0000000002B0B000-memory.dmp